LAS VEGAS -- There's no such thing as a completely secure Active Directory, but one expert believes that limiting admin privileges is one of the best and most underutilized ways to keep a Windows network safe.
During a session last week at Comdex Las Vegas 2003, Active Directory security expert David Shaw told attendees that their companies should seriously consider limiting the number of IT managers who have service administrator privileges.
Shaw, who is the enterprise network architect for the U.S. Air Force's Air Combat Command, said that there are 110,000 users on his network, but only five have service admin privileges.
"Service admins have to be highly trusted," because they have the power to take down Active Directory, Shaw said. A service admin has the ability to create domains, modify the operating system on domain controllers, and manage other critical, underlying pieces of the Windows network.
Shaw said that service admins can become the weak link in several disaster scenarios. While a disgruntled employee with service admin privileges is an obvious threat, a less obvious danger is a service admin who logs on from another employee's PC.
By simply neglecting to log off, the admin could effectively give the employee Active Directory privileges, until the error is detected. Shaw said the simplest way to prevent such an event is by limiting service admin logons to certain PCs. He also said that it's generally a good idea to minimize the software footprint on service admin clients.
Shaw said he learned that lesson in part because of an incident on an Air Force base network. A network manager with service administrator status disabled communications to the entire base for several hours by accidentally disabling a network switch that he shouldn't been able to access.
A service admin also has physical access to the domain controller, which can be even more dangerous. Shaw said that, with physical access, anyone can boot a domain controller to an alternate OS, steal the hard drive or backup media, and even walk away with entire forests.
"Once I own the domain controller, I own your forest," Shaw said. "With physical access, I can do virtually anything. If I put a domain controller in restore mode, I can potentially put it on a [USB] thumb drive and walk out with it."
Shaw said that it's wise to not only run antivirus software consistently on domain controllers and service admin PCs, but also to track domain controller reboots, because that's almost always a sign of trouble.
"Don't ever accept this excuse from one of your admins: It's a Windows server. Today, Windows is as solid as a rock. Today, I'd stick it up against any Unix workstation. It's that reliable. Three years ago, I would've never said that," said Shaw.
Shaw offered several best practices to keep potential service admin damage in check: Only allow service admins to manage other service admins. Place service admin groups, user members of those groups, and computer accounts of service admin workstations in controlled subtrees. Don't include remote users or remote groups in service admin groups. And consider a dual-admin model, where two service admins each keep half of a password.
Grant Philp, technology manager for McGill University in Montreal, is in the process of moving from a mixed environment of Windows NT and Windows 2000 to Windows Server 2003. He's not concerned about Active Directory security because he has years of experience managing Novell Directory Services (NDS), though the toughest part of keeping a Windows network secure lies with user policy.
"A lot of people know what to do to keep the network secure, but it's having the resources to do it" that's difficult, Philp said. He said it's always particularly difficult from a political standpoint to get users to "buy in to" the need to maintain complex passwords and change them regularly.
Attendee Deron Roberts, a senior systems engineer for Honda R&D Americas Inc., in Raymond, Ohio, said that his company already employs many of the best practices suggested by Shaw. Roberts migrated Windows 2000 to Windows Server 2003 earlier this year.
FOR MORE INFORMATION:
Learn how to cope with Active Directory's shortcomings.
Download our Learning Guide on managing Active Directory.