Securely managing logon for service administrators

James Michael Stewart, Contributor

Users that are members of the seven service administrator groups represent the most powerful accounts in your domains, so it is important to control their use. Administrators should implement strong logon restrictions as the primary use control.

One step to improve logon restrictions is to require these accounts to use smart cards to logon. This is not a valid requirement for the default administrator account, but that's not what we are talking about. All of the user accounts which you created that were then made members of a service administrator group can have the requirement for smart cards. So, do it.

This one action forces local logon (in most cases), requires a second level of authentication (i.e. passwords and smart cards), requires a physical possession component to authentication (i.e. having the smart card in your possession), and assigns a randomly generated, cryptographically strong password to the account. This last benefit makes these user accounts significantly less vulnerable to password cracking and auditing tools.

The only real drawback to this is smart cards require PKI.

Another option is to force two-man control on service administrator account logons. This can be accomplished through Windows Server 2003 (or any OS for that matter) simply by creating a complex password and assigning half of it to each person. Thus, both users must be present physically to provide their portion of the password at the time of logon. Then,

    Requires Free Membership to View

require peer auditing through procedural policies that require both administrators to be present throughout the entire logon session. This forces two people to work together to double-check each other's work when performing service administrator level work tasks. This concept of split passwords could also be applied to smart cards. Simply give the smart card to one administrator and the PIN to the other. This forces both users to be present at the point of logon.

James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.

This was first published in May 2004

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.