I don't ever provide DA/EA creds to anything but the most trusted systems, I especially wouldn't use them on a box that has internet access. That is what the other accounts are for.
That is also why I am a big believer in reducing attack surface with RBAC delegations and span of control. e.g workstation admins aren't server admins. From: Phil Garven [mailto:ph...@sunbeltsoftware.com] Sent: Thursday, May 27, 2010 2:06 PM To: NT System Admin Issues Subject: RE: What's your requirement to allow a user DA? +1 on separate accounts for admins Log on with a user account (maybe a local admin) and use "run as" to run your admin programs as your domain admin or equivalent account. If you log on as a domain admin and get a virus (happens to the best of us) then that virus is running as a domain admin and sending itself to your exchange server and remotely executing. "But no one uses the internet on the exchange server so we don't have AV on it" Regards, Phil Garven Sunbelt Software ________________________________ From: Free, Bob [mailto:r...@pge.com] Sent: Thursday, May 27, 2010 4:43 PM To: NT System Admin Issues Subject: RE: What's your requirement to allow a user DA? 2-3 is max for any environment IMO. Everything else should be dome with delegations. They must be your most proficient admins, not any old new hire. Check out some of joe Richard's rants about it, he ran a multi-nationl Global 5 firm with 3 EA /DA level admins who were, as he put it, all close enough to smack each other. (+ 1 manager who had the keys in a break glass/locked safe scenario) Personally, I am a fan of 3 accounts per admin for those enterprise level admins, 1 uberadminID (DA/EA), 1 regular adminID with appropriate delegations like all administrators should have and the usual day-to-day userID From: David Lum [mailto:david....@nwea.org] Sent: Thursday, May 27, 2010 11:39 AM To: NT System Admin Issues Subject: What's your requirement to allow a user DA? What are your guy's prerequisites on someone having a Domain Admin account - assume a medium or large company and 4-5+ Systems Engineers. Previously here they've just had every new SE hire be domain admin, I'm thinking it's time to change that practice but I'll need some ammo and a plan before I have any hope of changing this. My thinking is along the line of "need to know what's going in this AD structure" as well as being proficient in all things AD, etc. Thoughts comments? I'm thinking there should only be 2-3 DA accounts max per domain max. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ... ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
