May 2012 IT Business Consulting Newsletter

Protect Your Admin Accounts

By Tom K

I mentioned the need to protect your Administrator accounts and control Administrator access to your systems in my March 2012 newsletter "Departing Employees".

You have Admin/Administrator accounts littered throughout your IT environment. Your Domain has one, all of your servers have them, your routers and firewalls have them, and even your PCs have them.

In this month’s newsletter I discuss why and how we need to control the use of these accounts and the resultant administrative access to your environment.


Domain Administrator

The most important (the one having most control) is the Windows Active Directory Domain Administrator. This account has full control over your entire Windows Domain and Servers.

This account was created when the Domain was created. These core Administrator/Admin account credentials are used in multiple instances tucked deep within the servers. If you ever have to change the Administrator/Admin password, finding and updating all the associated instances can be a challenge.

No staff, therefore, should have knowledge of core Server and Network (Domain) Administrator account passwords unless absolutely necessary. Anyone requiring administrative level access to your servers and Active Directory should have their user account rights elevated by making that user a member of the appropriate administrative group(s). The user continues to log in as himself (not as Administrator), but has all the administrative rights he needs as his user ID was granted those rights.

The benefits of this include being able to provide more granular control over individual users’ administrative rights, the ability to easily remove specific (or all) rights from a particular user, and the ability to audit administrative activity per user ID.

Even when users are privy to the Administrator credentials, those users should log in as themselves rather than as Administrator.

Note that the Domain Admin password, along with all Admin level passwords, should use a “secure” password. This includes passwords for all user accounts that have been granted Admin rights. See my November 2011 article, “Secure Passwords” for details concerning creating secure passwords.


Server Administrator

If you have a Domain (and most of you do), the Domain Admin (and any user granted Domain Admin rights) has control over each server as soon as it is joined to the Domain. Each server does get a local Server Admin account when it is built, but this account is rarely if ever used while the server is in production. We typically use one secure password for all the individual local Server Administrator accounts in the environment, but we use a password very different from the Domain Admin account.


PC Administrator

This is similar in principle to the Server Administrator. The Domain Admin has control as soon as the PC is joined to the Domain and the PC Admin account is rarely used unless the PC becomes severely damaged. As with Server Admin, we use one local PC Administrator password for all the PCs, different from the Domain Admin password and different from the Server Admin password.


Firewall Administrator

There are usually only one or two individuals that will access this device, and the password is easily changed, so we tend to allow the use of the default Admin account with a unique secure password.


Infrastructure Components Administrator

As with firewalls, only one or two staff in a medium sized business will access these devices, which include your Ethernet switches and any routers you may have. Again, the password is easily changed, so we tend to allow the use of the default Admin account with a single secure password used on all the switches and routers.


If you have any questions or comments concerning this article, or would like assistance managing your environment’s passwords, I’d be happy to discuss this with you at your convenience. Feel free to contact me at TomK@TomKConsulting.com, or via my cell 443.310.5110.


Next month (See "Improved Internet Reliability") I’ll discuss some twists on Redundant Internet Connections, as initially described way back in my April 2009 article, “Improve the Reliability and Speed of your Business Internet Connection”.