Security 101 Part 3 – Domain Admin Accounts

By July 22, 2019 July 24th, 2019 IT Security, Managed Service Provider
Domain Admin Accounts

Part 3 in the series on basic IT security practices centers on the importance of your internal computer network. While we tend to think most threats come from the outside world, the truth is there are many ways security threats can slip past the hard exterior and end up right in the soft center of your network. Web-based malware, phishing email, and disgruntled employees are just a few of the threats that can take down your network. Let’s look at ways to make that soft center of your computer network just a little bit more secure.

IT Security: Firewalls, Active Directory Control, and Admin Level Privileges

Firewalls may be “king” when it comes to establishing a good perimeter defense, but Your Active Directory server is the heart and soul of your networking system. The Active Directory server acts as a centralized management point for a vast number of system controls. Some of these controls include user accounts, security groups, and group policy objects just to name a few. In order to keep things nice and secure, we need to make sure that not just anyone has access to these controls. With this in mind, we should address a big issue with a lot of the networks: admin level privileges.

One of the most common issues with Active Directory security are administrator level accounts. Domain Administrators not only have the power to see everything on the network, but also to make almost any changes they want. While many business owners will think that they require this level of control, to be perfectly honest, they do not. Furthermore, by having this level of access they are actively risking their entire network. Human Resources and C-level employees can easily be given all the access they need with the help of security groups and proper permission settings.

Who Should Get Domain Admin Control?

Domain Admin level accounts should always meet these four requirements:

  • They are unique to the user
  • They are not the user’s primary account
  • The user is fully trusted by the company
  • The user absolutely requires this access to fulfill their job duties

If these four conditions are not met, the user should be assigned to an appropriate security group and the group access is given to the required folder.

Why Restrict Domain Admin Control?

Failure to control admin access can have devastating results. First, if someone falls prey to phishing or other malware, the attacker now has every bit of access that the user’s account has.

Second, admins can access any file. They can change permissions on folders. You don’t want just anyone being able to see Human Resources data, payroll data, or employee’s personal information; much less reading everyone’s email.

Finally, one of the biggest threats of unchecked admin access is that the user can easily make mistakes that destroy the entire network. Not all security breaches are malicious. A single person clicking the wrong thing can open massive holes in your security.

For questions regarding IT Security, call the team at Truewater (713) 869-0001 Ext. 5

By: Joshua Lackey, Truewater Project Manager