DavidDavis
Wed Jan 04 16:41:04 CST 2006
Right on. If you are not used to following this policy, it will be difficult
to implement. However it is imperative that work toward using the LUA model:
http://www.microsoft.com/technet/security/secnews/articles/lpuseacc.mspx
Many worms and malware are unable to distribute their intended payload when
executed under an account with least privilege therfore implementing this
policy further hardens your systems against new threats that may not have a
patch / definition.
--
David Davis [MCSE, CCNA, Security +]
"Miha Pihler [MVP]" wrote:
> Hi,
>
> Personally I am not sure if it is great to have many domain admin accounts.
> I usually try to keep this number as low as possible (1-3 accounts) in
> environments that have around 300 people.
>
> In most cases domain administrator accounts should only be used by people
> who administer domain controllers.
> Almost all other tasks can be done with other privileges. E.g. you don't
> need to be domain administrator to do a backup. Backup Operator role is
> enough. You can also delegate other permissions such as adding computers to
> domain, creating users and groups etc... If you need to install something on
> the server you can (should?) use local administrator account whenever
> possible. Services that run under domain administrator account can be quite
> a security risk. It is very easy to "dump" a password of such service
> account in clear text (user would need to be local admin or have debug
> permissions).
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Mr. Backup" <backup@yahoo.com> wrote in message
> news:O2LPuaXEGHA.3004@TK2MSFTNGP15.phx.gbl...
> > Well the great part about active directory is that you can have many
> > domain admin accounts.
> > What you should do is just make sure you have another account in the
> > domain that is also a domain admin / enterprise admin.
> > Change the password you want to change, and then make sure that each
> > service installed under that account password is changed corresponding
> > with the newly set password. There is no big deal. I can not count how
> > many times I have setup backups to run under my account, just to find them
> > fail when I changed my password.
> >
> >
> > "Patrick Lublin" <Patrick@discussions.microsoft.com> wrote in message
> > news:2FB0A304-3318-4892-AF21-4FF185B48CAA@microsoft.com...
> >> Okay, so I'm one of those people who:
> >>
> >> 1) Have logged on to all of my servers with the administrator account;
> >> and,
> >> 2) Have services running on most of the servers that start with the
> >> administrator account.
> >>
> >> So, how do I go about changing the password without locking myself out?
> >>
> >> Thanks!
> >>
> >> "Ballyb" wrote:
> >>
> >>> Nice 1, thanks.
> >>>
> >>> "David Davis" wrote:
> >>>
> >>> > I would recommend logging in as the domain administrator, hitting
> >>> > Ctl-Alt-Del
> >>> > and using the change password utility. Be sure that you are not logged
> >>> > on
> >>> > using this account on any other machine on the network. Also, make
> >>> > sure that
> >>> > you are not running any services using this account. (not trying to
> >>> > insult
> >>> > your intelligence, I have several clients that, in the past, have
> >>> > assigned
> >>> > this account to a service) If you are logged elswhere on or have
> >>> > services
> >>> > running and you change the password, then you will end up locking the
> >>> > Domain
> >>> > Admin account.
> >>> > --
> >>> > David Davis, MCSE, CCNA, Security +
> >>> > Network Engineer
> >>> >
> >>> >
> >>> > "Ballyb" wrote:
> >>> >
> >>> > > Hi, We have been told we have to change our Domain Administrator
> >>> > > password.
> >>> > >
> >>> > > Is this as simple as going into A/D and reseting the password or is
> >>> > > there
> >>> > > more involved.
> >>> > >
> >>> > > Any advice would be grateful.
> >>> > >
> >>> > > Thx
> >
> >
>
>
>