Users that are members of the seven service administrator groups represent the most powerful accounts in your domains, so it is important to control their use. Administrators should implement strong logon restrictions as the primary use control.
One step to improve logon restrictions is to require these accounts to use smart cards to logon. This is not a valid requirement for the default administrator account, but that's not what we are talking about. All of the user accounts which you created that were then made members of a service administrator group can have the requirement for smart cards. So, do it.
This one action forces local logon (in most cases), requires a second level of authentication (i.e. passwords and smart cards), requires a physical possession component to authentication (i.e. having the smart card in your possession), and assigns a randomly generated, cryptographically strong password to the account. This last benefit makes these user accounts significantly less vulnerable to password cracking and auditing tools.
The only real drawback to this is smart cards require PKI.
Another option is to force two-man control on service administrator account logons. This can be accomplished through Windows Server 2003 (or any OS for that matter) simply by creating a complex password and assigning half of it to each person. Thus, both users must be present physically to provide their portion of the password at the time of logon. Then,
James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.
This was first published in May 2004