Re: Administrator password

Right on. If you are not used to following this policy, it will be difficult
to implement. However it is imperative that work toward using the LUA model:
http://www.microsoft.com/technet/security/secnews/articles/lpuseacc.mspx
Many worms and malware are unable to distribute their intended payload when
executed under an account with least privilege therfore implementing this
policy further hardens your systems against new threats that may not have a
patch / definition.
--
David Davis [MCSE, CCNA, Security +]



"Miha Pihler [MVP]" wrote:

> Hi,
>
> Personally I am not sure if it is great to have many domain admin accounts.
> I usually try to keep this number as low as possible (1-3 accounts) in
> environments that have around 300 people.
>
> In most cases domain administrator accounts should only be used by people
> who administer domain controllers.
> Almost all other tasks can be done with other privileges. E.g. you don't
> need to be domain administrator to do a backup. Backup Operator role is
> enough. You can also delegate other permissions such as adding computers to
> domain, creating users and groups etc... If you need to install something on
> the server you can (should?) use local administrator account whenever
> possible. Services that run under domain administrator account can be quite
> a security risk. It is very easy to "dump" a password of such service
> account in clear text (user would need to be local admin or have debug
> permissions).
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Mr. Backup" <backup@xxxxxxxxx> wrote in message
> news:O2LPuaXEGHA.3004@xxxxxxxxxxxxxxxxxxxxxxx
> > Well the great part about active directory is that you can have many
> > domain admin accounts.
> > What you should do is just make sure you have another account in the
> > domain that is also a domain admin / enterprise admin.
> > Change the password you want to change, and then make sure that each
> > service installed under that account password is changed corresponding
> > with the newly set password. There is no big deal. I can not count how
> > many times I have setup backups to run under my account, just to find them
> > fail when I changed my password.
> >
> >
> > "Patrick Lublin" <Patrick@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> > news:2FB0A304-3318-4892-AF21-4FF185B48CAA@xxxxxxxxxxxxxxxx
> >> Okay, so I'm one of those people who:
> >>
> >> 1) Have logged on to all of my servers with the administrator account;
> >> and,
> >> 2) Have services running on most of the servers that start with the
> >> administrator account.
> >>
> >> So, how do I go about changing the password without locking myself out?
> >>
> >> Thanks!
> >>
> >> "Ballyb" wrote:
> >>
> >>> Nice 1, thanks.
> >>>
> >>> "David Davis" wrote:
> >>>
> >>> > I would recommend logging in as the domain administrator, hitting
> >>> > Ctl-Alt-Del
> >>> > and using the change password utility. Be sure that you are not logged
> >>> > on
> >>> > using this account on any other machine on the network. Also, make
> >>> > sure that
> >>> > you are not running any services using this account. (not trying to
> >>> > insult
> >>> > your intelligence, I have several clients that, in the past, have
> >>> > assigned
> >>> > this account to a service) If you are logged elswhere on or have
> >>> > services
> >>> > running and you change the password, then you will end up locking the
> >>> > Domain
> >>> > Admin account.
> >>> > --
> >>> > David Davis, MCSE, CCNA, Security +
> >>> > Network Engineer
> >>> >
> >>> >
> >>> > "Ballyb" wrote:
> >>> >
> >>> > > Hi, We have been told we have to change our Domain Administrator
> >>> > > password.
> >>> > >
> >>> > > Is this as simple as going into A/D and reseting the password or is
> >>> > > there
> >>> > > more involved.
> >>> > >
> >>> > > Any advice would be grateful.
> >>> > >
> >>> > > Thx
> >
> >
>
>
>
.

Relevant Pages

  • Re: HELP - cant disable psswd policy on domain
    ... I don't want this policy applying to ... > my Administrator account as this would be a pain to change its psswd on ... > servers that are running services as Administrator (I know this is bad ... Set the Admin account password to never expire. ...
    (microsoft.public.win2000.group_policy)
  • Re: Group Policy is now inhibiting the Administrator account
    ... Eventually found that a policy to ... the Admin account properties had REcommended ... Administrator account is a member of either of those groups. ... log on to the server with your own account. ...
    (microsoft.public.windows.server.sbs)
  • Re: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure?
    ... administrator account -- we should have no problems at least browsing to ... server. ... | authentication dialog box. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Serious Security & Administrative issue!!!!
    ... capability [including file encryption and a boatload of security policies] to be ... The concept of the built in administrator account is ... if that account is only available in safe mode then hackers can not use it ...
    (microsoft.public.security)
  • Re: Applying GPO in W2K3 and W2K8 - Admin Question
    ... are you referring to the built-in Administrator account in the domain? ... is not an OU (so effectively, you can not link a GPO to it). ... If apply any policy and there is no filtering to administrator domain ...
    (microsoft.public.windows.server.active_directory)