If you haven't gleaned this truism by now, especially across my last dozen tips or so, let me point it out directly right here: You must perform administrative tasks securely. At some point you will have to perform some type of administrative level activity on your domain controllers. Just the simple act of installing Windows Server 2003 or upgrading a member server to a domain controller are just some of the administrative tasks that you probably overlook when planning out security for administration.
The point I want to get across here is that even if you have installation and setup procedures that ensure a secure domain controller and you have a tightly controlled physical access control system, you still have to have reliable people perform administration and do so in a secure and controlled manner. Administrators will often need direct physical access to the servers that they are assigned the responsibility to oversee and manage. Thus, they must be granted entrance into your server rooms and be given local logon capability to the servers. (That is unless you've deployed a reliable and secure remote administration communication channel, such as IPSec. But all that does is bring up new security issues, such as who do you give remote administrative privileges to, how secure is your encrypted link, can it be impersonated, what happens if the link cannot be established during a crisis, etc.)
Your administrators must be trustworthy people. Not in the way that you might first think, such as whether you'd trust them left alone in a room with the petty cash drawer. What I mean is that they will take extra care to follow security procedures and avoid (as much as humanly possible) any action or activity that would reduce the physical, logical or technical security of your environment. This usually equates to experience, knowledge and training. The more trustworthy and competent your administrators, the more you can rely upon the security that was built into your domain in the first place.
Even though there is a default administrator account on every system, not all administrator accounts are equal. What I mean by this is, depending on the services installed on a specific box, the person (or persons) with access to your administrator accounts will have more or less influence over the security of your network. It should be obvious that admin personnel who can log onto a domain controller have more power than those who can only log onto a file or print server. Likewise, administrators on forest root domain DCs, Global Catalog hosts, trust establishment systems, schema masters, etc. all have more power over the security, reliability and capability of your network than administrators on other types of servers. So, take caution when granting administrator access.
Whenever possible restrict the service administrators, those with the power over the directory service systems (i.e. Active Directory domain controllers), to as few people as possible. Furthermore, don't delegate service administrator privileges. Save the nifty delegation feature for data administrators, i.e. those that simply control network and domain access to resources.
I realize that there is not any direct hands-on info in this tip. But I'm just getting started. I needed to establish a foundation upon which to build the remainder of the tips which address the issue of creating a secure administration process in your organization in order to sustain, maintain, and improve the security that you have so diligently designed and implemented.
James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.