Users that are members of the seven service administrator groups represent the most powerful accounts in your domains,...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
so it is important to control their use. Administrators should implement strong logon restrictions as the primary use control.
One step to improve logon restrictions is to require these accounts to use smart cards to logon. This is not a valid requirement for the default administrator account, but that's not what we are talking about. All of the user accounts which you created that were then made members of a service administrator group can have the requirement for smart cards. So, do it.
This one action forces local logon (in most cases), requires a second level of authentication (i.e. passwords and smart cards), requires a physical possession component to authentication (i.e. having the smart card in your possession), and assigns a randomly generated, cryptographically strong password to the account. This last benefit makes these user accounts significantly less vulnerable to password cracking and auditing tools.
The only real drawback to this is smart cards require PKI.
Another option is to force two-man control on service administrator account logons. This can be accomplished through Windows Server 2003 (or any OS for that matter) simply by creating a complex password and assigning half of it to each person. Thus, both users must be present physically to provide their portion of the password at the time of logon. Then, require peer auditing through procedural policies that require both administrators to be present throughout the entire logon session. This forces two people to work together to double-check each other's work when performing service administrator level work tasks. This concept of split passwords could also be applied to smart cards. Simply give the smart card to one administrator and the PIN to the other. This forces both users to be present at the point of logon.
James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.