G
Guest
I'm a little rusty with AD security...but was wondering if there are
resources out there or can anyone break down what the best practices are
regarding overall Domain security in terms of Administrators.
1. How many built in administrator accounts are there? Is there just one
overall domain "Administrator" account who is part of the Domain
Administrator group for an AD Forest? Should you rename the ID and then
change the Administrator password and keep this in an encrypted DB or in an
envelope just in case the Admins leave the company?
2. Should you rename all Administrator accounts, enable logging on the
domain in case that password is changed and then make all the Sys Admin's use
their own IDs as part of the Domain Admin group?
3. Are there many services on domain controllers that use "Administrator"
for system access? Would you have to change that password as well or does it
propagate automatically?
Whats the best way to limit the abuse of a domain admin, make them
accountable, log their actions but still allow them to do their day to day
duties such as add/remove users, change persmissions, reset passwords, etc?
I'm looking for overall best practices to eliminate the use of that shared
Administrator ID (Or any domain Admin ID for that matter). We're looking to
prevent abuse of power but not interfere with job duties. We want to rename
this ID but then also at the same time we need to know the effects within the
enterprise on doing so. How many different types of depedencies are there on
this built in ID?
Any help, assistance, comments or references to some good best practice
security articles on AD would be great. Thanks!
resources out there or can anyone break down what the best practices are
regarding overall Domain security in terms of Administrators.
1. How many built in administrator accounts are there? Is there just one
overall domain "Administrator" account who is part of the Domain
Administrator group for an AD Forest? Should you rename the ID and then
change the Administrator password and keep this in an encrypted DB or in an
envelope just in case the Admins leave the company?
2. Should you rename all Administrator accounts, enable logging on the
domain in case that password is changed and then make all the Sys Admin's use
their own IDs as part of the Domain Admin group?
3. Are there many services on domain controllers that use "Administrator"
for system access? Would you have to change that password as well or does it
propagate automatically?
Whats the best way to limit the abuse of a domain admin, make them
accountable, log their actions but still allow them to do their day to day
duties such as add/remove users, change persmissions, reset passwords, etc?
I'm looking for overall best practices to eliminate the use of that shared
Administrator ID (Or any domain Admin ID for that matter). We're looking to
prevent abuse of power but not interfere with job duties. We want to rename
this ID but then also at the same time we need to know the effects within the
enterprise on doing so. How many different types of depedencies are there on
this built in ID?
Any help, assistance, comments or references to some good best practice
security articles on AD would be great. Thanks!