microsoft.public.windowsxp.security_admin

I agree with your assessment of controlling what users are also some sort of
admin for the domain and where they use those powers. Along those line a
common security vulnerability is to logon to a domain computer to do work
that requires administrator privileges on that domain computer [non DC] with
a user that is in the domain admins group. That is probably the number 1 way
to give away your domain.

Steve


"Anteaus" wrote in message
news:1E94CA45-887B-46A6-8E52-827FB00CE830@microsoft.com...
>
> "Steven L Umbach" wrote:
>
>> While implementing the principle of least privilege is a noble goal I
>> think
>> you might be over doing it with that group of users. Most likely they are
>> all highly trained competent people very knowledgeable about computers
>> and
>> people you already trust as they have access to very sensitive areas of
>> your
>> network.
>>
>
> Agree, and the imposition of restrictions on sysops will be so frustrating
> that they will likely cease to do their jobs properly - which will further
> impact on security.
>
> I think if you want to improve security in the Administrative area, you
> could take a long hard look at the more vulnerable aspects of Windows'
> remote-admin schemes, for example the Remote Registry service, Terminal
> Services, and Administrative Shares (C$, etc.) If you don't need or use
> these
> you can give a significant boost to security by turning them off. If you
> later find you DO need them, it's easy enough to turn them back on.
>
> The other key point of course is that granting Domain Admin rights is a
> very
> different thing from granting local Administrator rights. Routine
> maintenance
> or helpdesk work should never be done under a Domain Admin account, as
> this
> exposes the entire network to any malware which might happen to be running
> on
> the faulty computer. Therefore, never use a Domain Admin logon anywhere
> other
> than at a known 'clean' computer, such as a server.
>
>