+2 for separate Admin accounts. Using DA ( domain Admin) for daily tasks is basically playing russian roulette and the gun is pointed at your face.
Least privilege to get the job done or accomplish the task and no more. Sometimes its politically infeasible in some organization/businesses but its not technically infeasible in most situations. As we all argued before in other threads, AV isn't going to catch everything, if you combine with IPS/IDS at the workstation there will be increased protection and increased troubleshooting pain when things don't work, so balance accordingly. Also there is more 0 days out there that you don't know about that are being used, they only come to light after there is a detectable spread of the exploit and then its labeled an 0 day. Sincerely, EZ Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 ezi...@lifespan.org From: Phil Garven [mailto:ph...@sunbeltsoftware.com] Sent: Friday, May 28, 2010 8:25 AM To: NT System Admin Issues Subject: RE: What's your requirement to allow a user DA? IT people tend to do a lot of testing on their machines which often involves disabling AV. A few years ago I got infected through a zero day bug in Firefox, I visited a well known blog and a cmd prompt flashed up and disappeared very quickly but I knew what had happened. I was using Symantec at the time and Symantec didn't detect the Trojan but it did detect and block the other viruses that the Trojan tried to download. So I was infected with one virus but not all the other viruses - if I had been logged on as a domain admin then that one virus could have infected other machines including servers and if they didn't have AV they would have downloaded and run all the other viruses as well. I've encountered quite a few environments where some old server in a back room somewhere is infected and attacking the rest of the network even though no-one ever logs on to it. Regards, Phil Garven ________________________________ From: Crawford, Scott [mailto:crawfo...@evangel.edu] Sent: Thursday, May 27, 2010 5:38 PM To: NT System Admin Issues Subject: RE: What's your requirement to allow a user DA? Not to nitpick, but I want to nit pick J RE: "But no one uses the internet on the exchange server so we don't have AV on it" How is this relevant? If the AV on the workstation the DA is logged into didn't catch the virus, why would the save AV software on the Exchange server catch it? Or, are you suggesting that different AV be installed on various servers? From: Phil Garven [mailto:ph...@sunbeltsoftware.com] Sent: Thursday, May 27, 2010 4:06 PM To: NT System Admin Issues Subject: RE: What's your requirement to allow a user DA? +1 on separate accounts for admins Log on with a user account (maybe a local admin) and use "run as" to run your admin programs as your domain admin or equivalent account. If you log on as a domain admin and get a virus (happens to the best of us) then that virus is running as a domain admin and sending itself to your exchange server and remotely executing. "But no one uses the internet on the exchange server so we don't have AV on it" Regards, Phil Garven Sunbelt Software ________________________________ From: Free, Bob [mailto:r...@pge.com] Sent: Thursday, May 27, 2010 4:43 PM To: NT System Admin Issues Subject: RE: What's your requirement to allow a user DA? 2-3 is max for any environment IMO. Everything else should be dome with delegations. They must be your most proficient admins, not any old new hire. Check out some of joe Richard's rants about it, he ran a multi-nationl Global 5 firm with 3 EA /DA level admins who were, as he put it, all close enough to smack each other. (+ 1 manager who had the keys in a break glass/locked safe scenario) Personally, I am a fan of 3 accounts per admin for those enterprise level admins, 1 uberadminID (DA/EA), 1 regular adminID with appropriate delegations like all administrators should have and the usual day-to-day userID From: David Lum [mailto:david....@nwea.org] Sent: Thursday, May 27, 2010 11:39 AM To: NT System Admin Issues Subject: What's your requirement to allow a user DA? What are your guy's prerequisites on someone having a Domain Admin account - assume a medium or large company and 4-5+ Systems Engineers. Previously here they've just had every new SE hire be domain admin, I'm thinking it's time to change that practice but I'll need some ammo and a plan before I have any hope of changing this. My thinking is along the line of "need to know what's going in this AD structure" as well as being proficient in all things AD, etc. Thoughts comments? I'm thinking there should only be 2-3 DA accounts max per domain max. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ... ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
