Admin Accounts

From: Leo (get_at_bent.com)
Date: 09/15/04


Date: Tue, 14 Sep 2004 21:38:27 -0400

My Co. has banned the use of privileged accounts (admin or Domain admin
group membership) for day to day use within the IT group. This is, of
course, a good idea but hard for most to swallow. The main argument is that
if your not doing work that requires Admin Priv then don't use the account.
Rather, use the 'Run As' function when Admin rights are necessary.

The Argument is that in the event of a worm infiltration if an IT person
gets infected it will not spread under the admin account but just a 'normal'
user account.

Is anyone else using this or similar practices? How did you sell it to the
IT rank and file? Any thoughts or consideration are appreciated.

Leo



Relevant Pages

  • Re: Finding a Hacker
    ... compromising the loca or domain admin acocunts, or by elevation, ... to get local admin rights on the machine used by the domain admin, ... If the hacker did get in remotely using an administrator account on ... Your problem is not restricting remote desktop connections. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Incoming E-Mail - cant create contact in OU
    ... central admin pool different than the web app. ... that account a little (if the web app is compromised or something, ... So I started with giving the app pool account domain admins permissions then ...
    (microsoft.public.sharepoint.windowsservices)
  • RE: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins t
    ... Flaw in Microsoft Domain Account Caching Allows ... Local Workstation Admins to Temporarily Escalate Privileges and Login as ... Cached Domain Admin Accounts ... administrator" is a "bigger" administrator than the local administrator. ...
    (Bugtraq)
  • Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins t
    ... Flaw in Microsoft Domain Account Caching Allows ... Local Workstation Admins to Temporarily Escalate Privileges and Login as ... Cached Domain Admin Accounts ... administrator" is a "bigger" administrator than the local administrator. ...
    (Full-Disclosure)
  • Re: Need to filter domain admin from GPO
    ... It's best practice to use a 2nd administrator account as your regular user ... domain admin. ... Block inheritance (I would have to move the domain admin from Users ...
    (microsoft.public.windows.group_policy)