Hi,
Today I want to share with you a simple best practise that I have often seen overlooked and not implemented.
The problem
Have you ever started at a new company and found that everyone has domain admin access? The technicians,the admins,the non technical boss and even the level 1 service desk staff? I have, in almost every company I started. This without saying,poses a huge risk,not just from a security point of view but also the fact that so many people have the potential to either intentionally or unintentionally $uck $hit up. Either way you have your hands full and enough on your plate to still have to worry about one of your servicedesk staff to start digging in things they learnt about in their mcse class.So how do we go about mitigating this risk and applying the best practice for least privilege access (You only have access to do the things that enable you to perform your job)
The Solution
I usually tackle this in a few ways- I get the backing of the decision makers by informing them of the risks to the business and what I can do to resolve it. This way if they decide to do nothing you have it in writing that they were made aware of the risk and its all on them.
- Next you will usually dish out an e-mail or go speak to the managers of the respective sections to find out their needs and roles. Essentially you need to know who does what before you can even begin with the technical bits
- Now that you have that information on who does what its allot easier to go into AD and create some groups. In my example I have 3 levels of support which is what I found most common at all the companies I worked. They are
- Level 1 Support – Service desk- They do your quick fixes and generally require the following permissions
- Reset password
- unlock an account
- change password
- Read Access to all users attributes.
- Level 2 Support – Desktop Engineers ,technicians generally have a few more:
- Reset password
- change password
- unlock account
- read attributes of an AD user
- Create users
- modify Active Directory Groups
- Join Computers to the domain
- Rejoin Computers to the domain
- Unjoin computers from the domain
- move computers to the proper OU
- Level 3 Support – Network or Systems Admins usually have domain admin access depending on the size and organic structure of the company. Larger companies will have more granular roles,rights and permissions where as the the generalist Admin will usually have domain admin rights and whatever he/she grants to themselves
- Level 1 Support – Service desk- They do your quick fixes and generally require the following permissions
- I create NEW administration aka adm accounts for each support user. e.g For the user John Black with a username of jblack I create admjblack. I simply add adm as a prefix.
- I then create AD security groups e.g Sevicedesk_Firstline , ServiceDeskdesk_Secondline and so on. Be sure to give good descriptions.
OK so now that we got that out of the way, lets get to the fun bit of actually configuring this.
0 comments :
Post a Comment