Securely juggling service admin accounts

A look at the Active Directory service administrator accounts and some tips for keeping them secure.

The past few tips have discussed securing administrator accounts. In this week's tip we are going to reverse things a bit and go back and look at the Active Directory administrator accounts individually. In addition, this tip provides seven tips for securing these accounts.

There are eight specific service focused administrator groups or accounts. These include:

  • Enterprise Admins (EA) (located in the Forest)
  • Schema Admins (SA) (located in the Forest)
  • Administrators (BA) (located in the Domain)
  • Domain Admins (DA) (located in the Domain)
  • Server Operators (SO) (located in the Domain)
  • Account Operators (AO) (located in the Domain)
  • Backup Operators (BO) (located in the Domain)
  • Administrator (located on the local system for the Directory Service Restore Mode)

These seven groups and one account are granted access to manage and manipulate Active Directory configuration by default. Thus, you should consider membership in these groups (and access to the account) as highly privileged capabilities. CLOSELY define, monitor, and verify membership in these groups on a regular basis. If any unauthorized user accounts obtain membership in these groups, then a serious security violation may have already occurred.

Here are some tips on how to securely juggle these groups and accounts:

  • Keep membership as low as possible
  • Enforce the practice of a normal user account and an admin user account for every person assigned administrative level work tasks
  • Rename the local and domain administrator accounts, then create a decoy account with the Administrator name.
  • Prevent data level administrators from being able to manage or configure service level accounts - this is only a necessary precaution if you grant data administrators the ability to access the Active Directory Users and Computer's tool in their assigned AD container.
  • Keep the membership of service administrator accounts in other non-service administrator groups to a minimum.
  • Grant access to such accounts only to trusted personnel
  • Grant access only to local forest users

In previous tips I described a few more specifics to securing service administrator accounts, including hiding them from Authenticated Users and limiting logon. Hopefully this tip will help complete the AD admin account security picture.


James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.


This was first published in August 2006

Dig deeper on Microsoft Active Directory Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close