Manage Learn to apply best practices and optimize your operations.

Securely managing logon for service administrators

In Microsoft Active Directory, two-factor authentication is the key to protecting your service administrator accounts.

Users that are members of the seven service administrator groups represent the most powerful accounts in your domains, so it is important to control their use. Administrators should implement strong logon restrictions as the primary use control.

One step to improve logon restrictions is to require these accounts to use smart cards to logon. This is not a valid requirement for the default administrator account, but that's not what we are talking about. All of the user accounts which you created that were then made members of a service administrator group can have the requirement for smart cards. So, do it.

This one action forces local logon (in most cases), requires a second level of authentication (i.e. passwords and smart cards), requires a physical possession component to authentication (i.e. having the smart card in your possession), and assigns a randomly generated, cryptographically strong password to the account. This last benefit makes these user accounts significantly less vulnerable to password cracking and auditing tools.

The only real drawback to this is smart cards require PKI.

Another option is to force two-man control on service administrator account logons. This can be accomplished through Windows Server 2003 (or any OS for that matter) simply by creating a complex password and assigning half of it to each person. Thus, both users must be present physically to provide their portion of the password at the time of logon. Then, require peer auditing through procedural policies that require both administrators to be present throughout the entire logon session. This forces two people to work together to double-check each other's work when performing service administrator level work tasks. This concept of split passwords could also be applied to smart cards. Simply give the smart card to one administrator and the PIN to the other. This forces both users to be present at the point of logon.

James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.

Dig Deeper on Windows systems and network management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.