ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: Should our Domain Admins be using dedicated administrative workstations?


Member

Posts: 9
Date: Jun 12, 2010
Should our Domain Admins be using dedicated administrative workstations?
Permalink  
 


In a recent in-house audit, we found that many of our admins were using the same laptop for everyday email and for managing the domain, and that they had many applications installed on these laptops, including I believe numerous free unsupported tools network, securiity and AD tools, that they seemed to have downloaded off the web (from who knows where.)

During a recent meeting, someone raised a question about the security of these laptops and the impact of their compromise on our domain. It was suggested that we ought to consider providing seperate laptops with more stringent host policies to our domain admins for the purposes of domain management.

While the cost of laptops is trivial and a non-issue, the management of additional machines, and more so, asking our admins to use two different laptops / workstations at all times, seems a little cumbersome.

Should our Domain Admins be using dedicated administrative workstations? Or is it okay to let them keep using the same laptop for email web browsing and domain management?

Appreciate your thoughts and suggestions.

Kind Regards,
John



__________________
Ray


Member

Posts: 17
Date: Jun 24, 2012
RE: Should our Domain Admins be using dedicated administrative workstations?
Permalink  
 


Hi Johnny,

As far as possible, it is a Microsoft recommended best-practice to use dedicated administrative workstations/laptops for Domain Admins.

The compromise of a single machine on which a Domain Admin logs on, can be used by a knowledgeable hacker to escalate his/her privilege to that of  the Domain Admin, and subsequently use Domain Admin privilege to compromise the entire Active Directory domain / forest.

In fact, you should also minimize the number of your Domain Admins, and delegate most tasks related to account, OU and group management to delegated administrators, and only retain the most sensitive of admin tasks for Domain Admins.

These days computers are inexpensive, so it is highly recommended to get your Domain Admins dedicated workstations.

One other thing worth mentioning that is often over-looked is that you should also ensure that they only use trustworthy software on their machines. For example, Active Directory management software, reporting and audit tools, provisioning tools etc. should all be reliable, and procured from trustworthy vendors like Microsoft and its partners.

Domain Admin credentials are like diamonds - you must take great care of them and protect them as much as you can, from all angles.

>Ray.



__________________
One misconfigured 00299570-246d-11d0-a768-00aa006e0529 is all I need.
Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me