The past few tips have discussed securing administrator accounts. In this week's tip we are going to reverse things a bit and go back and look at the Active Directory administrator accounts individually. In addition, this tip provides seven tips for securing these accounts.
There are eight specific service focused administrator groups or accounts. These include:
- Enterprise Admins (EA) (located in the Forest)
- Schema Admins (SA) (located in the Forest)
- Administrators (BA) (located in the Domain)
- Domain Admins (DA) (located in the Domain)
- Server Operators (SO) (located in the Domain)
- Account Operators (AO) (located in the Domain)
- Backup Operators (BO) (located in the Domain)
- Administrator (located on the local system for the Directory Service Restore Mode)
These seven groups and one account are granted access to manage and manipulate Active Directory configuration by default. Thus, you should consider membership in these groups (and access to the account) as highly privileged capabilities. CLOSELY define, monitor, and verify membership in these groups on a regular basis. If any unauthorized user accounts obtain membership in these groups, then a serious security violation may have already occurred.
Here are some tips on how to securely juggle these groups and accounts:
- Keep membership as low as possible
- Enforce the practice of a normal user account and an admin user account for every person assigned
- administrative level work tasks
- Rename the local and domain administrator accounts, then create a decoy account with the Administrator name.
- Prevent data level administrators from being able to manage or configure service level accounts - this is only a necessary precaution if you grant data administrators the ability to access the Active Directory Users and Computer's tool in their assigned AD container.
- Keep the membership of service administrator accounts in other non-service administrator groups to a minimum.
- Grant access to such accounts only to trusted personnel
- Grant access only to local forest users
In previous tips I described a few more specifics to securing service administrator accounts, including hiding them from Authenticated Users and limiting logon. Hopefully this tip will help complete the AD admin account security picture.
James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.
This was first published in August 2006