Level-of-Privilege Considerations in Delegating Service Management
Updated: December 5, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Closely associated with the concept of delegating administration is the implicit notion that since delegation involves authorizing a lesser privileged administrator the ability to carry out a specific set of administrative tasks, it is usually fair to assume that the nature, scope and impact of a delegated administrative task is less security-sensitive and cannot be used to elevate privilege to the same level as that of the administrator delegating the task.
While this notion is generally true, it does not hold for delegation of service management. Service management involves providing administrative coverage to help ensure security and reliability in the delivery of the Active Directory directory service. Thus, by its very nature, it is fair to assume that most administrative tasks involved in promoting security and reliability can and usually do have a significant impact on the security worthiness and the availability of the directory service.
While some administrative tasks are extremely security-sensitive and can have a forest-wide impact, thus requiring highly elevated privileges, most administrative tasks do not require such high levels of privilege. The administrative tasks that do require elevated levels of privilege should only be entrusted to the most highly trustworthy and skilled set of administrators. While most service management administrative tasks do not require elevated levels of privilege, they do require more privileges than those required for data management tasks and they need to be assigned to sufficiently trustworthy personnel.
The level of skill and trust required of these administrators represents a significant cost to the organization. To minimize the total cost of operation and increase the security worthiness of an Active Directory environment, the number of these most highly trustworthy and skilled set of administrators should be minimized by delegating responsibility for relatively less security-sensitive service management administrative tasks to relatively less highly trusted and skilled administrators.
Additionally, since malicious or inadvertent, careless use of needlessly broad administrative credentials can result in irreversible damage, such as accidental deletion of data, inadvertent assignment of wrong values to sensitive data, and inappropriate configuration of essential services, it makes sense to grant service administrators only the level of administrative authority that is required to carry out the set of administrative tasks assigned and none other. For instance, by default Domain Administrators and Enterprise Administrators are sufficiently privileged to carry out just about every service administration task in Active Directory. A majority of these tasks do not require such high-levels of privilege and can be delegated to lesser-privileged administrators so as to minimize the set of highly trusted and privileged administrators and minimize the chance of inadvertent or malicious use of such high and sweeping levels of privilege.
Finally, delegation can be used to achieve a clear separation of assigned responsibilities, thereby making service management more tractable, and increasing accountability and the security worthiness of an Active Directory environment.
For example, assigning responsibility for all aspects of forest-wide replication (but only forest-wide replication) to a specific administrative group not only ensures that a critical aspect of service has been provided administrative coverage, but also increases accountability and helps ensure service delivery. For example, in the event of a replication issue, there is a clearly identifiable set of administrators to which the issue can be escalated, The same set of administrators can be held accountable should there be suspicion that a replication related administrative task was carried out with malicious intent.
For all these reasons, while delegation of service management does not necessarily lead to lesser-privileged delegated administrators, it does make an Active Directory environment measurably more secure and helps reduce the total cost involved in managing the directory service while continuing to ensure the highest levels of security and availability of service.
Note that it is critical and imperative to understand that each and every service administrator should be equally and highly trusted. Every single service administrator is sufficiently privileged to adversely impact the security and reliability of the delivery of the directory service and can consequently adversely impact the data stored in or protected by Active Directory. The importance of ensuring that all service administrators meet the highest bar of trust cannot be overstated.