RE: [ActiveDir] Some thoughts on securing sensitive accounts....
Generally you shouldn't need a "schema admin" account. During your normal running state, there should be no reason to have anyone in that group. You definitely don't want to have some generic ID with that access as I don't believe in managing the directory like that from generic "function based"accounts. There are two times you need the Schema Admins access. Updating the schema which should be a very controlled event and moving the schema FSMO role. Since that role isn't really needed EXCEPT during schema updates you don't really need to move it around all that much except maybe when doing a Schema Update. On the enterprise admin account, again ditto. There should be one ID that is probably in Ent Admins by default (it doesn't even need to be in that group but may save a little extra work if you have to use it for recovery), that is the built in root domain Admin ID. That ID should not be used, its password should be set to some obscenely long password at least greater than 14 characters and put in an envelope and anyone who has it memorized should be shot. There should be no requirement to use that ID. Then you have your actual Enterprise Admins and that should be a small group, maybe 2-5 people depending on your size (I worked on a team of 3 people and supervisor for a 250,000 user deployment). Using smart cards for those admins isn't a bad idea. Those admins were also the only domain admins or people with permissions to write to DCs due to the logical security implicationssurrounding DCs. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis OuelletSent: Friday, February 25, 2005 1:45 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Some thoughts on securing sensitive accounts Hi folks, I'm was thinking the other day of the best way to secure schema and enterprise admin accounts. What would you do if you had "carte blanche" to secure sensitive accounts in an enterprise directory? First things that came to mind were using mandatory smart cards for SA and EA accounts kept in a safe where only designated employes knew the pinsAny other thoughts? Thanks! Francis Ouellet
RE: [ActiveDir] Some thoughts on securing sensitive accounts....
"Then you have your actual Enterprise Admins and that should be a small group, maybe 2-5 people depending on your size (I worked on a team of 3 people and supervisor for a 250,000 user deployment)." So I'm assuming that you have more than 1 Enterprise admin in your root domain? Isn't that agains't all the white papers out there stating that you shouldn't have more than one ent. admin. in your forest andall other adminsshould be domain admins in theirown respective domain? Or did you use enterprise admin as a generic term? Thanks, Francis From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis OuelletSent: Friday, February 25, 2005 1:45 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Some thoughts on securing sensitive accounts Hi folks, I'm was thinking the other day of the best way to secure schema and enterprise admin accounts. What would you do if you had "carte blanche" to secure sensitive accounts in an enterprise directory? First things that came to mind were using mandatory smart cards for SA and EA accounts kept in a safe where only designated employes knew the pinsAny other thoughts? Thanks! Francis Ouellet
RE: [ActiveDir] Some thoughts on securing sensitive accounts....
What do you do when you have an AD support group than need access to Enterprise Admin privs if you only have one Enterprise Admin? I know I wouldn't want to be the only guy with those privs in the middle of the night on a weekend when I'm not on call ;) Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, February 25, 2005 3:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts Then you have your actual Enterprise Admins and that should be a small group, maybe 2-5 people depending on your size (I worked on a team of 3 people and supervisor for a 250,000 user deployment). So I'm assuming that you have more than 1 Enterprise admin in your root domain? Isn't that agains't all the white papers out there stating that you shouldn't have more than one ent. admin. in your forest and all other admins should be domain admins in their own respective domain? Or did you use enterprise admin as a generic term? Thanks, Francis From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, February 25, 2005 1:45 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Some thoughts on securing sensitive accounts Hi folks, I'm was thinking the other day of the best way to secure schema and enterprise admin accounts. What would you do if you had carte blanche to secure sensitive accounts in an enterprise directory? First things that came to mind were using mandatory smart cards for SA and EA accounts kept in a safe where only designated employes knew the pinsAny other thoughts? Thanks! Francis Ouellet List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Some thoughts on securing sensitive accounts....
How about a generic ent. Admin account? One with an obsure name and 10 foot password? Only selected support/admin people have the password? Just thinking out loud here. ;-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil Sent: 25 février 2005 15:21 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts What do you do when you have an AD support group than need access to Enterprise Admin privs if you only have one Enterprise Admin? I know I wouldn't want to be the only guy with those privs in the middle of the night on a weekend when I'm not on call ;) Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, February 25, 2005 3:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts Then you have your actual Enterprise Admins and that should be a small group, maybe 2-5 people depending on your size (I worked on a team of 3 people and supervisor for a 250,000 user deployment). So I'm assuming that you have more than 1 Enterprise admin in your root domain? Isn't that agains't all the white papers out there stating that you shouldn't have more than one ent. admin. in your forest and all other admins should be domain admins in their own respective domain? Or did you use enterprise admin as a generic term? Thanks, Francis From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, February 25, 2005 1:45 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Some thoughts on securing sensitive accounts Hi folks, I'm was thinking the other day of the best way to secure schema and enterprise admin accounts. What would you do if you had carte blanche to secure sensitive accounts in an enterprise directory? First things that came to mind were using mandatory smart cards for SA and EA accounts kept in a safe where only designated employes knew the pinsAny other thoughts? Thanks! Francis Ouellet List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Some thoughts on securing sensitive accounts....
I wouldn't give those rights to a group... Just one or two people in the group, and only after proper vetting. Vetting would include the usual background checks and good corporate citizen-type evaluations, as well as AD technical knowledge. Would you want them fixing an AD disaster in the middle of the night while you're asleep? Will they do the right thing, even when you're not looking? It really comes down to a matter of trust. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil Sent: Friday, February 25, 2005 1:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts What do you do when you have an AD support group than need access to Enterprise Admin privs if you only have one Enterprise Admin? I know I wouldn't want to be the only guy with those privs in the middle of the night on a weekend when I'm not on call ;) Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, February 25, 2005 3:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts Then you have your actual Enterprise Admins and that should be a small group, maybe 2-5 people depending on your size (I worked on a team of 3 people and supervisor for a 250,000 user deployment). So I'm assuming that you have more than 1 Enterprise admin in your root domain? Isn't that agains't all the white papers out there stating that you shouldn't have more than one ent. admin. in your forest and all other admins should be domain admins in their own respective domain? Or did you use enterprise admin as a generic term? Thanks, Francis From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, February 25, 2005 1:45 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Some thoughts on securing sensitive accounts Hi folks, I'm was thinking the other day of the best way to secure schema and enterprise admin accounts. What would you do if you had carte blanche to secure sensitive accounts in an enterprise directory? First things that came to mind were using mandatory smart cards for SA and EA accounts kept in a safe where only designated employes knew the pinsAny other thoughts? Thanks! Francis Ouellet List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Some thoughts on securing sensitive accounts....
Some of that is symantics. If you have only one Enterprise admin account, and only one person who knows the credentials for that account, then there are some large organizational risks if something happens to that one person. If you have only one Enterprise admin account, but you have 2 or 3 or 5 people who know the credentials on that account, then you have multiple Enterprise admins. Worse, everything that happens is within the security context of that one account, so you really can't have an audit trail since any one of the 2/3/5 people could have been the onelogged in. You also have to consider that the forest is the security boundary, and that any of your domain admins can potentially elevate their permissions to own the forest. Not that it's easy, but it's not impossible either. Hunter From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis OuelletSent: Friday, February 25, 2005 1:15 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Some thoughts on securing sensitive accounts "Then you have your actual Enterprise Admins and that should be a small group, maybe 2-5 people depending on your size (I worked on a team of 3 people and supervisor for a 250,000 user deployment)." So I'm assuming that you have more than 1 Enterprise admin in your root domain? Isn't that agains't all the white papers out there stating that you shouldn't have more than one ent. admin. in your forest andall other adminsshould be domain admins in theirown respective domain? Or did you use enterprise admin as a generic term? Thanks, Francis From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis OuelletSent: Friday, February 25, 2005 1:45 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Some thoughts on securing sensitive accounts Hi folks, I'm was thinking the other day of the best way to secure schema and enterprise admin accounts. What would you do if you had "carte blanche" to secure sensitive accounts in an enterprise directory? First things that came to mind were using mandatory smart cards for SA and EA accounts kept in a safe where only designated employes knew the pinsAny other thoughts? Thanks! Francis Ouellet
RE: [ActiveDir] Some thoughts on securing sensitive accounts....
Absolutely, and in fact, the only Ent Admin IDs were in the root domain. I didn't add IDs from other domains. In all other domains the Enterprise Admins had only Domain Admin rights. The ent admins are the same people with dom admins in all of the domains. That is right, the same 3 Analysts and one supervisor are the only ones holding DA and EA rights and in fact any rights to make direct changes on the DCs. There was AD delegation but it was limited to what local admins needed to do and even if they rebooted a DC without being told to they got chewed out. Basically the IDs were laid out like so (this isn't all of it but the main part) 5 regional account domains (2xna, sa, ap, and eu) and an empty root (company.org). The admins were all located in one of the NA regional domains. Their normal userid was kept in that domain. In every domain they had a domain admin ID. The root domain ID also had enterprise admin rights. The NA domain admins group was placed in the admins group of every account domain so that most of the daily work that required admin rights (read that as changes) were done from their NA admin ID. Most of their troubleshooting was done from their normal NA user ID. The root IDs were only used when they needed to make enterprise level changes such as sites/subnets, etc. I don't care what white paper says that it is safe to have different domain admins but only having rights in their own domain but they are all in the same forest, they are wrong. Lucent put out a paper like that a long time ago and we beat the crap out of them over it. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis OuelletSent: Friday, February 25, 2005 3:15 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Some thoughts on securing sensitive accounts "Then you have your actual Enterprise Admins and that should be a small group, maybe 2-5 people depending on your size (I worked on a team of 3 people and supervisor for a 250,000 user deployment)." So I'm assuming that you have more than 1 Enterprise admin in your root domain? Isn't that agains't all the white papers out there stating that you shouldn't have more than one ent. admin. in your forest andall other adminsshould be domain admins in theirown respective domain? Or did you use enterprise admin as a generic term? Thanks, Francis From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis OuelletSent: Friday, February 25, 2005 1:45 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Some thoughts on securing sensitive accounts Hi folks, I'm was thinking the other day of the best way to secure schema and enterprise admin accounts. What would you do if you had "carte blanche" to secure sensitive accounts in an enterprise directory? First things that came to mind were using mandatory smart cards for SA and EA accounts kept in a safe where only designated employes knew the pinsAny other thoughts? Thanks! Francis Ouellet
RE: [ActiveDir] Some thoughts on securing sensitive accounts....
We built a fairly simple break the glass application that adds a person to the necessary group, logs the action, emails the security team, etc. Only members of a certain group can be elevated that way. Then all we do is log off, back on, and do the work. The membership expires in a couple of hours automatically mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, February 25, 2005 3:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts How about a generic ent. Admin account? One with an obsure name and 10 foot password? Only selected support/admin people have the password? Just thinking out loud here. ;-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil Sent: 25 février 2005 15:21 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts What do you do when you have an AD support group than need access to Enterprise Admin privs if you only have one Enterprise Admin? I know I wouldn't want to be the only guy with those privs in the middle of the night on a weekend when I'm not on call ;) Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, February 25, 2005 3:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts Then you have your actual Enterprise Admins and that should be a small group, maybe 2-5 people depending on your size (I worked on a team of 3 people and supervisor for a 250,000 user deployment). So I'm assuming that you have more than 1 Enterprise admin in your root domain? Isn't that agains't all the white papers out there stating that you shouldn't have more than one ent. admin. in your forest and all other admins should be domain admins in their own respective domain? Or did you use enterprise admin as a generic term? Thanks, Francis From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, February 25, 2005 1:45 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Some thoughts on securing sensitive accounts Hi folks, I'm was thinking the other day of the best way to secure schema and enterprise admin accounts. What would you do if you had carte blanche to secure sensitive accounts in an enterprise directory? First things that came to mind were using mandatory smart cards for SA and EA accounts kept in a safe where only designated employes knew the pinsAny other thoughts? Thanks! Francis Ouellet List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Thank you. Cintas Corporation. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Some thoughts on securing sensitive accounts....
Absolutely not. If you have multiple people that know the password to an admin account every single person has an out as to who screwed what up. You have no security when you do that. Plus, every additional person who knows a password on an account increases the chance of even more people learning it. If a password is specific to a single user they are much more guarded on letting others gets it because for all intents and purposes... It is them. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, February 25, 2005 3:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts How about a generic ent. Admin account? One with an obsure name and 10 foot password? Only selected support/admin people have the password? Just thinking out loud here. ;-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil Sent: 25 février 2005 15:21 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts What do you do when you have an AD support group than need access to Enterprise Admin privs if you only have one Enterprise Admin? I know I wouldn't want to be the only guy with those privs in the middle of the night on a weekend when I'm not on call ;) Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, February 25, 2005 3:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts Then you have your actual Enterprise Admins and that should be a small group, maybe 2-5 people depending on your size (I worked on a team of 3 people and supervisor for a 250,000 user deployment). So I'm assuming that you have more than 1 Enterprise admin in your root domain? Isn't that agains't all the white papers out there stating that you shouldn't have more than one ent. admin. in your forest and all other admins should be domain admins in their own respective domain? Or did you use enterprise admin as a generic term? Thanks, Francis From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, February 25, 2005 1:45 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Some thoughts on securing sensitive accounts Hi folks, I'm was thinking the other day of the best way to secure schema and enterprise admin accounts. What would you do if you had carte blanche to secure sensitive accounts in an enterprise directory? First things that came to mind were using mandatory smart cards for SA and EA accounts kept in a safe where only designated employes knew the pinsAny other thoughts? Thanks! Francis Ouellet List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Some thoughts on securing sensitive accounts....
Totally agree, but in very large environments that group of trusted admins is going to have to be more than just one guy. I think 2 or 3 guys (depending on the size of the environment) is a pretty reasonable number provided that they are admins you can trust with that level of access. And to answer Francis' next comment, I would never create a generic account with EA privs. I want to be able to track who did what if I have to comb through the logs after something happened and when you have a generic account how do you know for sure that Bob Smith was the one that logged in if 3 or 4 people all have access to the same username/password? If you are going to have more than one person with that level of access then create an ID for each of them (separate from their general AD login). Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Friday, February 25, 2005 3:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts I wouldn't give those rights to a group... Just one or two people in the group, and only after proper vetting. Vetting would include the usual background checks and good corporate citizen-type evaluations, as well as AD technical knowledge. Would you want them fixing an AD disaster in the middle of the night while you're asleep? Will they do the right thing, even when you're not looking? It really comes down to a matter of trust. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil Sent: Friday, February 25, 2005 1:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts What do you do when you have an AD support group than need access to Enterprise Admin privs if you only have one Enterprise Admin? I know I wouldn't want to be the only guy with those privs in the middle of the night on a weekend when I'm not on call ;) Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, February 25, 2005 3:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts Then you have your actual Enterprise Admins and that should be a small group, maybe 2-5 people depending on your size (I worked on a team of 3 people and supervisor for a 250,000 user deployment). So I'm assuming that you have more than 1 Enterprise admin in your root domain? Isn't that agains't all the white papers out there stating that you shouldn't have more than one ent. admin. in your forest and all other admins should be domain admins in their own respective domain? Or did you use enterprise admin as a generic term? Thanks, Francis From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, February 25, 2005 1:45 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Some thoughts on securing sensitive accounts Hi folks, I'm was thinking the other day of the best way to secure schema and enterprise admin accounts. What would you do if you had carte blanche to secure sensitive accounts in an enterprise directory? First things that came to mind were using mandatory smart cards for SA and EA accounts kept in a safe where only designated employes knew the pinsAny other thoughts? Thanks! Francis Ouellet List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Some thoughts on securing sensitive accounts....
Who are you calling good corporate citizen? We only have three (3) people with EA rights for an Enterprise with over 300,000 user accounts and 200 plus DCs. Schema Admins is empty. Have to make a concentrated effort to populate that group. Saves us from Schema SNAFUs. So far (3 years) this plan has worked for us. Dan -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Friday, February 25, 2005 1:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts I wouldn't give those rights to a group... Just one or two people in the group, and only after proper vetting. Vetting would include the usual background checks and good corporate citizen-type evaluations, as well as AD technical knowledge. Would you want them fixing an AD disaster in the middle of the night while you're asleep? Will they do the right thing, even when you're not looking? It really comes down to a matter of trust. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil Sent: Friday, February 25, 2005 1:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts What do you do when you have an AD support group than need access to Enterprise Admin privs if you only have one Enterprise Admin? I know I wouldn't want to be the only guy with those privs in the middle of the night on a weekend when I'm not on call ;) Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, February 25, 2005 3:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts Then you have your actual Enterprise Admins and that should be a small group, maybe 2-5 people depending on your size (I worked on a team of 3 people and supervisor for a 250,000 user deployment). So I'm assuming that you have more than 1 Enterprise admin in your root domain? Isn't that agains't all the white papers out there stating that you shouldn't have more than one ent. admin. in your forest and all other admins should be domain admins in their own respective domain? Or did you use enterprise admin as a generic term? Thanks, Francis From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, February 25, 2005 1:45 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Some thoughts on securing sensitive accounts Hi folks, I'm was thinking the other day of the best way to secure schema and enterprise admin accounts. What would you do if you had carte blanche to secure sensitive accounts in an enterprise directory? First things that came to mind were using mandatory smart cards for SA and EA accounts kept in a safe where only designated employes knew the pinsAny other thoughts? Thanks! Francis Ouellet List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Some thoughts on securing sensitive accounts....
Yeah, didn't think about this one when I asked the questing...Would be a PITA to find the person who screwed up or tried to screw us up :) Thanks for the answer! Francis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil Sent: 25 février 2005 15:37 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts Totally agree, but in very large environments that group of trusted admins is going to have to be more than just one guy. I think 2 or 3 guys (depending on the size of the environment) is a pretty reasonable number provided that they are admins you can trust with that level of access. And to answer Francis' next comment, I would never create a generic account with EA privs. I want to be able to track who did what if I have to comb through the logs after something happened and when you have a generic account how do you know for sure that Bob Smith was the one that logged in if 3 or 4 people all have access to the same username/password? If you are going to have more than one person with that level of access then create an ID for each of them (separate from their general AD login). Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Friday, February 25, 2005 3:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts I wouldn't give those rights to a group... Just one or two people in the group, and only after proper vetting. Vetting would include the usual background checks and good corporate citizen-type evaluations, as well as AD technical knowledge. Would you want them fixing an AD disaster in the middle of the night while you're asleep? Will they do the right thing, even when you're not looking? It really comes down to a matter of trust. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil Sent: Friday, February 25, 2005 1:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts What do you do when you have an AD support group than need access to Enterprise Admin privs if you only have one Enterprise Admin? I know I wouldn't want to be the only guy with those privs in the middle of the night on a weekend when I'm not on call ;) Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, February 25, 2005 3:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts Then you have your actual Enterprise Admins and that should be a small group, maybe 2-5 people depending on your size (I worked on a team of 3 people and supervisor for a 250,000 user deployment). So I'm assuming that you have more than 1 Enterprise admin in your root domain? Isn't that agains't all the white papers out there stating that you shouldn't have more than one ent. admin. in your forest and all other admins should be domain admins in their own respective domain? Or did you use enterprise admin as a generic term? Thanks, Francis From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, February 25, 2005 1:45 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Some thoughts on securing sensitive accounts Hi folks, I'm was thinking the other day of the best way to secure schema and enterprise admin accounts. What would you do if you had carte blanche to secure sensitive accounts in an enterprise directory? First things that came to mind were using mandatory smart cards for SA and EA accounts kept in a safe where only designated employes knew the pinsAny other thoughts? Thanks! Francis Ouellet List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Some thoughts on securing sensitive accounts....
Whoa, that's a big, big, big deployement! Thanks for taking the time to answer the question. So far the last 4 years of AD experience hasn't taught me as much as I did by subscribing to this list a year ago. I truly appreciate getting the point of view from some fine folks who have experience in HUGE environment. Unfortunatly, biggest environment I ever had my hands on to was a 300 user one with roughly 3 forests and a few sites here and there. Once again, thanks to you joe, Phil, Daniel, Hunter, Mark and Gil (hope I didn't forget anyone! g) for taking the time to discuss this. Truly appreciated! Francis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gilbert, Daniel L Mr ANOSC/FCBS Sent: 25 février 2005 15:45 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts Who are you calling good corporate citizen? We only have three (3) people with EA rights for an Enterprise with over 300,000 user accounts and 200 plus DCs. Schema Admins is empty. Have to make a concentrated effort to populate that group. Saves us from Schema SNAFUs. So far (3 years) this plan has worked for us. Dan -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Friday, February 25, 2005 1:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts I wouldn't give those rights to a group... Just one or two people in the group, and only after proper vetting. Vetting would include the usual background checks and good corporate citizen-type evaluations, as well as AD technical knowledge. Would you want them fixing an AD disaster in the middle of the night while you're asleep? Will they do the right thing, even when you're not looking? It really comes down to a matter of trust. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil Sent: Friday, February 25, 2005 1:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts What do you do when you have an AD support group than need access to Enterprise Admin privs if you only have one Enterprise Admin? I know I wouldn't want to be the only guy with those privs in the middle of the night on a weekend when I'm not on call ;) Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, February 25, 2005 3:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts Then you have your actual Enterprise Admins and that should be a small group, maybe 2-5 people depending on your size (I worked on a team of 3 people and supervisor for a 250,000 user deployment). So I'm assuming that you have more than 1 Enterprise admin in your root domain? Isn't that agains't all the white papers out there stating that you shouldn't have more than one ent. admin. in your forest and all other admins should be domain admins in their own respective domain? Or did you use enterprise admin as a generic term? Thanks, Francis From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, February 25, 2005 1:45 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Some thoughts on securing sensitive accounts Hi folks, I'm was thinking the other day of the best way to secure schema and enterprise admin accounts. What would you do if you had carte blanche to secure sensitive accounts in an enterprise directory? First things that came to mind were using mandatory smart cards for SA and EA accounts kept in a safe where only designated employes knew the pinsAny other thoughts? Thanks! Francis Ouellet List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Some thoughts on securing sensitive accounts....
Exactly the layout we had except we had to give a supervisor EA rights as well so there was a total of 4 people with rights with 250k users and about 400 DCs. He was really good about not changing things though. I have a great story where one time he actually did add something and within a few hours I stumbled upon it and yelled out across the office (he was about 3 cubes over, we were all within that space for one easy grenade shot) something like Vern, did you create such and such an object at such and such a point in the AD?. Response back was something like umm yeah, what did I do wrong? Generally the smaller the company, I think the less need for Enterprise Admins in a daily or even weekly capacity. You get down to really small companies say 1000 people or less and how much core AD infrastructure changes that require ent admins are there and so maybe there is more and more reason to lock up the Ent Admin ID entirely. The larger companies tend to constantly be folding up locations or adding new locations so the overall AD Infrastructure is always in a state of flux. These changes can be delegated off, but the question comes down to... Do you really want to? Changes in this area can have dramatic impact on your replication. I liked the fact that every site and subnet that needed to be created came through our group so we could review it to make sure it made sense. There were often times when someone wanted to define 50-60 subnets for a site when a couple of subnets would actually do, simply because they didn't understand that the masking of the clients didn't have to be followed in AD. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gilbert, Daniel L Mr ANOSC/FCBS Sent: Friday, February 25, 2005 3:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts Who are you calling good corporate citizen? We only have three (3) people with EA rights for an Enterprise with over 300,000 user accounts and 200 plus DCs. Schema Admins is empty. Have to make a concentrated effort to populate that group. Saves us from Schema SNAFUs. So far (3 years) this plan has worked for us. Dan -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Friday, February 25, 2005 1:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts I wouldn't give those rights to a group... Just one or two people in the group, and only after proper vetting. Vetting would include the usual background checks and good corporate citizen-type evaluations, as well as AD technical knowledge. Would you want them fixing an AD disaster in the middle of the night while you're asleep? Will they do the right thing, even when you're not looking? It really comes down to a matter of trust. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil Sent: Friday, February 25, 2005 1:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts What do you do when you have an AD support group than need access to Enterprise Admin privs if you only have one Enterprise Admin? I know I wouldn't want to be the only guy with those privs in the middle of the night on a weekend when I'm not on call ;) Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, February 25, 2005 3:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts Then you have your actual Enterprise Admins and that should be a small group, maybe 2-5 people depending on your size (I worked on a team of 3 people and supervisor for a 250,000 user deployment). So I'm assuming that you have more than 1 Enterprise admin in your root domain? Isn't that agains't all the white papers out there stating that you shouldn't have more than one ent. admin. in your forest and all other admins should be domain admins in their own respective domain? Or did you use enterprise admin as a generic term? Thanks, Francis From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, February 25, 2005 1:45 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Some thoughts on securing sensitive accounts Hi folks, I'm was thinking the other day of the best way to secure schema and enterprise admin accounts. What would you do if you had carte blanche to secure sensitive accounts in an enterprise directory? First things that came to mind were using mandatory smart cards for SA and EA accounts kept in a safe where only designated employes knew the pinsAny other thoughts? Thanks! Francis Ouellet List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List
RE: [ActiveDir] Some thoughts on securing sensitive accounts....
If you have only one Enterprise admin account, and only one person who knows the credentials for that account, then there are some large organizational risks if something happens to that one person. True one is really asking for a disaster at this point. My environment two EA privileged, and the credentials in a sealed envelope with the VP of Information Security. Everyone else in the management and maintenance infrastructure vetted DA for the respective domain of their accountable area, and delegated permissions to areas where they are not responsible, but possibly needed in a pinch. Plus, we mix things up on occasion (what a wonderful thing assigning permissions to GROUPS not USERS) to ensure that there is no collusion occurring between specific areas. SOX put a whole new spin on this for us. Opened our (well, OK I and my peer already knew management got their butts handed to them) eyes to issues that we had in our domain structure and level of control and vulnerability by DA level folks. -rtk From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Friday, February 25, 2005 2:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts Some of that is symantics. If you have only one Enterprise admin account, and only one person who knows the credentials for that account, then there are some large organizational risks if something happens to that one person. If you have only one Enterprise admin account, but you have 2 or 3 or 5 people who know the credentials on that account, then you have multiple Enterprise admins. Worse, everything that happens is within the security context of that one account, so you really can't have an audit trail since any one of the 2/3/5 people could have been the onelogged in. You also have to consider that the forest is the security boundary, and that any of your domain admins can potentially elevate their permissions to own the forest. Not that it's easy, but it's not impossible either. Hunter From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, February 25, 2005 1:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts Then you have your actual Enterprise Admins and that should be a small group, maybe 2-5 people depending on your size (I worked on a team of 3 people and supervisor for a 250,000 user deployment). So I'm assuming that you have more than 1 Enterprise admin in your root domain? Isn't that agains't all the white papers out there stating that you shouldn't have more than one ent. admin. in your forest andall other adminsshould be domain admins in theirown respective domain? Or did you use enterprise admin as a generic term? Thanks, Francis From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, February 25, 2005 1:45 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Some thoughts on securing sensitive accounts Hi folks, I'm was thinking the other day of the best way to secure schema and enterprise admin accounts. What would you do if you had carte blanche to secure sensitive accounts in an enterprise directory? First things that came to mind were using mandatory smart cards for SA and EA accounts kept in a safe where only designated employes knew the pinsAny other thoughts? Thanks! Francis Ouellet
