Recommendations: Establishing Secure Administrative Practices

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2

The following lists summarize the recommendations in this chapter for establishing secure administrative practices.

Recommendations for Establishing Secure Service Administration Practices

Recommendations for enhancing the security of your service administrator user and group accounts are:

  • Securing Service Administrator Accounts

    • Limit the exposure of service administrator accounts.

    • Manage service administrators in a controlled OU subtree.

    • Protect service administrator accounts by hiding membership of service administrator groups.

    • Manage group membership for service administrator accounts by assigning trustworthy personnel from within the forest, assigning Schema Admins temporarily, and restricting the rights of the Backup Operators and Account Operators groups.

    • Control administrative logons by requiring smart cards and sharing logons for sensitive accounts.

  • Securing Service Administrators Workstations

    • Restrict service administrator logon to administrative workstations.

    • Prohibit the use of cached credentials in unlocking administrative workstations.

    • Avoid running applications in administrative contexts.

    • Run antivirus software on administrative workstations.

    • Secure LDAP traffic between administrative workstations and domain controllers.

  • Avoiding the Delegation of Security-Sensitive Operations

    • Do not delegate the forest-level operations that are described in Table 41.

    • Do not delegate the domain-level operations that are described in Table 42.

Recommendations for Establishing Secure Data Administration Practices

Recommendations for enhancing the security of your data administration practices are:

  • Delegating Data Management

    • Only allow trusted individuals to create and apply Group Policy.

    • Understand the ramifications of Creator Owner.

    • Ensure that service administrators own directory partition root objects.

    • Avoid group membership conflicts by not delegating control of the same groups to multiple administrators.

  • Setting Object Ownership Quotas

    • Set quotas on directory partitions to limit object ownership.

  • Establishing Other Secure Practices for Delegating Administration

    • Avoid use of the Dnprotect tool.

    • Avoid use of domain local groups for controlling Read access to global catalog data.