Securely juggling service admin accounts

The past few tips have discussed securing administrator accounts. In this week's tip we are going to reverse things a bit and go back and look at the Active Directory administrator accounts individually. In addition, this tip provides seven tips for securing these accounts.

There are eight specific service focused administrator groups or accounts. These include:

  • Enterprise Admins (EA) (located in the Forest)
  • Schema Admins (SA) (located in the Forest)
  • Administrators (BA) (located in the Domain)
  • Domain Admins (DA) (located in the Domain)
  • Server Operators (SO) (located in the Domain)
  • Account Operators (AO) (located in the Domain)
  • Backup Operators (BO) (located in the Domain)
  • Administrator (located on the local system for the Directory Service Restore Mode)

These seven groups and one account are granted access to manage and manipulate Active Directory configuration by default. Thus, you should consider membership in these groups (and access to the account) as highly privileged capabilities. CLOSELY define, monitor, and verify membership in these groups on a regular basis. If any unauthorized user accounts obtain membership in these groups, then a serious security violation may have already occurred.

Here are some tips on how to securely juggle these groups and accounts:

  • Keep membership as low as possible
  • Enforce the practice of a normal user account and an admin user account for every person assigned

    Requires Free Membership to View

  • administrative level work tasks
  • Rename the local and domain administrator accounts, then create a decoy account with the Administrator name.
  • Prevent data level administrators from being able to manage or configure service level accounts - this is only a necessary precaution if you grant data administrators the ability to access the Active Directory Users and Computer's tool in their assigned AD container.
  • Keep the membership of service administrator accounts in other non-service administrator groups to a minimum.
  • Grant access to such accounts only to trusted personnel
  • Grant access only to local forest users

In previous tips I described a few more specifics to securing service administrator accounts, including hiding them from Authenticated Users and limiting logon. Hopefully this tip will help complete the AD admin account security picture.

James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.

This was first published in August 2006

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.