Planning Security for RIS Administrative Tasks

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To secure RIS administrative tasks, you need to decide whether you are planning to delegate tasks and then consider the best way to accomplish this securely. Also, you need to seriously consider securing the use of administrator credentials when performing administrative tasks.

For security reasons, when Windows XP Professional Service Pack 1 (SP1) or Windows Server 2003 is installed from the RIS server, the Administrator account is disabled as soon as the client computer is joined to the domain. Also, the Domain Admin group is added to the local computer when it is joined to a domain. If you want to prevent the Administrator account from being disabled when the client computer is joined to a domain, remove the entry DisableAdminAccountOnDomainJoin from the .sif file for that RISetup image.

Assessing Delegation of RIS Administrative Tasks

If you plan to delegate any RIS administrative tasks, you need to decide how to do this while maintaining security in your network. The best way to delegate RIS administrative tasks is to use existing security groups or define new ones for which you configure the appropriate permissions to perform specific RIS administrative tasks. This allows you to delegate tasks such as managing client installation images, managing prestaged computer accounts, and authorizing and configuring RIS servers.

For example, to install a RIS server and authorize it to Active Directory, the installer must be a member of the Enterprise Admins group. Others, who are responsible for configuring RIS servers and creating installation images, can have user accounts in Enterprise Admins or in another administrative group such as Domain Admins. This ensures they can perform all RIS configuration tasks.

If you have people in your organization who manage accounts and permissions, but do not configure RIS servers or create client installation images, you might make them members of the Account Operators group. You can then grant them folder permissions on the RIS server to perform their management tasks, rather than making them members of the Domain Admins or Enterprise Admins groups. This approach conforms to the best practices principle of granting permissions only where needed.

To set up a new security group for RIS tasks, create an administrative group in Active Directory, add qualified administrative personnel to the group, and then designate the appropriate permissions for RIS tasks. You can set permissions on the RIS server computer account object in Active Directory using the Remote Install tab in your RIS server Properties.

For more information about permission requirements for RIS tasks, see "Set permissions for administrators who manage client installation images for RIS" in Help and Support Center for Windows Server 2003.

For this part of your security planning process, use the "RIS Administrative Task Security" section of job aid "Planning RIS Server Security" (ACIRIS_05.doc) on the Windows Server 2003 Deployment Kit companion CD (or see "Planning RIS Server Security" on the Web at https://www.microsoft.com/reskit) to record whether you want to delegate RIS administrative tasks and whether you want to use new or existing security groups. You can also specify the personnel to which you delegate the tasks.

Assessing Security for RIS Administrative Tasks

To minimize security risks, consider not logging on to your computer with administrative credentials to perform RIS administrative tasks. Instead, you and other RIS administrators can log on with a domain user account and use the Run as command to accomplish your administrative tasks. For this reason, consider creating alternate user accounts for all your RIS administrators. In addition, strongly consider training all your RIS administrators in the use of the Run as command, so they can perform RIS administrative tasks securely.

Run as enables you to run various programs and wizards under your administrator account and security context while you are logged on with a different account, such as that of a domain user. This allows you to expose your administrative context only for the specific program you are running and only for the duration of program execution. For more information about the security risks associated with logging on to the network as an administrator, see "Groups and Default Security Settings" in Help and Support Center for Windows Server 2003.

Note

  • As a domain administrator, you should seriously consider using Run as to accomplish administrative tasks securely. For example, if you run your computer with domain administrator credentials, your Active Directory domain and forest are susceptible to Trojan horses and other attacks that target the logon sequence.

You can access the Run as command by using the command line or the user interface:

  • User interface. In the Windows user interface, you can right-click the executable program (.exe), Control Panel (.cpl) item, or MMC (.msc) console you want to run, then select Run as and provide a user account and password.

  • Command-line. You can use the runas command to provide the same capabilities as the "Run as" command in the user interface. For runas usage instructions, type the following syntax at the command line (cmd.exe):

    runas ?

For this part of your security planning process, use the "RIS Administrative Task Security" section of job aid "Planning RIS Server Security" (ACIRIS_05.doc) on the Windows Server 2003 Deployment Kit companion CD (or see "Planning RIS Server Security" on the Web at https://www.microsoft.com/reskit) to record whether you want to:

  • Use Run as to secure administrative tasks.

  • Create alternate domain user accounts or a special group account for RIS Administrators who will use the Run as command.

  • Train RIS administrators in the use of "Run as."