Announcement

Collapse
No announcement yet.

Securing administrator account

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Securing administrator account

    I have a customer I installed a network for last year and I continue to manage and fix it. They have a financial guy that I report to and he knows enough to be dangerous. Recently he has added to vice-president and the president to the administrators group and I am trying to find the right way to tell them how unnecessary and dangerous this is. What are some of the implications?

    These people will never be administering the network. If they were ever infected at the user level, as administrators could they compromise the network?

    From a liability point of view I am concerned. I try to keep their network running in a secure, trouble-free, efficient manner but it is difficult when you never know what someone might be doing behind the scenes like adding users to the administrator’s group. I would appreciate any comment to help me make my point.

    Thanks,
    Network Engineers do IT under the desk

  • #2
    Re: Securing administrator account

    yes - they can damage the network if their normal user accounts have DA privileges.

    it suggests to me though, that the financial guy is more of a concern than the other two - they probably don't know or care...
    maybe they just want local admin access, and the financial guy added them to da instead, because he doesn't know _enough_

    as a starting point, see if local administrator on their computer is enough..
    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

    Comment


    • #3
      Re: Securing administrator account

      Thank you for your reply. Help me explain to the financial guy how giving users DA rights can damage the network.

      Thanks
      Network Engineers do IT under the desk

      Comment


      • #4
        Re: Securing administrator account

        hi,

        do these help ?
        http://blog.paradigmcc.com/2009/05/1...your-computer/

        http://taosecurity.blogspot.com/2009...nistrator.html

        http://www.computerworld.com/s/artic...crosoft_s_bugs

        to explain to the financial guy, use numbers.
        "if you give joe admin rights, and he accidenttly contracts a virus by clicking on an email, then you have to get me to come in and fix it. and when i come i nand fix it, it's likelt to take upwards of 40 hours (my boss billed 60, and I billed 40, at the start of 2009 for something very similar) at XXX rate. So that equates to YYY dollars... that money would be much better spent within the company, on enhancing the infrastructure, rather than fixing it..."
        Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

        Comment


        • #5
          Re: Securing administrator account

          These are good articles and I appreciate the post. They are consistent with everything I have found (Google is my friend) but they all pertain to removing users from local administrator or member server groups.

          I am specifically concerned with users that have been added to the Domain Administrator's group. Neither the president or the vice-president are ever going to log onto the DC using their own accounts (with DA access). It is also unlikely malicious damage would be cause by principles of the company. So at what point is a danger presented here?
          Network Engineers do IT under the desk

          Comment


          • #6
            Re: Securing administrator account

            If their account has local workstation, or local server administrative privileges, and they logon to a server or workstation, then they accidently open a malware link, they will affect the workstation or server.

            The malware will run using those credentials.

            If they have domain administrative privileges on their normal user account, and do the same thing on their workstation, the malware will run using the DA privileges


            Our internal IT staff don't even have DA access on their normal accounts - we use separate, named administrative accounts. For instance if I have a logon of CamelT, then I might have an administrative account of TCAdmin or AdminTC or CamelT_DA or something like that.. ?
            Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

            Comment

            Working...
            X