This week we will be discussing… Controlled use of administrative privileges. This idea begins with a discussion on what accounts have administrative access. Ok, after a few weeks of reading these I would expect most people to already be saying, "How can I know what I'm limiting if I don't know what I have?" That of course is a great question. When it comes to PC's, I recommended using group policy. You can actually set restricted groups. This will make sure that no matter what when a PC is rebooted only the list groups have admin access. This means that if an admin wanted to give a user rights and then forgot, they would be gone when the PC rebooted. Another recommendation I have is checking who in active directory is part of the admin users group. This can be accomplished with a power shell script or even a manual glance at the group. Additionally, you can do some research. You should spend time finding out when the last time the admin password for any system was changed. I recommend beginning to document some of this in a spreadsheet or something. If you need to change an admin password go ahead and do it. After that, I would recommend finding out which processes i.e. backups, websites, services, etc… are dependent on admin passwords. Once you find this out you can begin the process of making sure those accounts are using service accounts. The big picture here is making sure that admin accounts are used by administrators only, only used when needed, and are relatively secure. In my experience the issue with changing admin passwords is the unpredictable things which break in a network upon doing so. Documentation and planning are truly the keys to this week's topic.
No comments:
Post a Comment