IT Security: Firewalls, Active Directory Control, and Admin Level Privileges

What is Active Directory

Firewalls may be “king” when it comes to establishing a good perimeter defense, but your active directory server is the heart and soul of your networking system. The active directory server acts as a centralized management point for a vast number of system controls.

Active directory controls include user accounts, security groups, and group policy objects just to name a few. To keep things nice and secure, we need to make sure that not just anyone has access to these controls. With this in mind, we should address a big issue with a lot of the networks: admin-level privileges.

Administrator Privileges and Risk Management

One of the most common issues with active directory security is administrator-level accounts. Domain Administrators not only have the power to see everything on the network, but also to make almost any changes they want.

Many business owners will think that they require this level of control. However, to be perfectly honest, they do not. Furthermore, by having this level of access, they are actively risking their entire network. Human Resources and C-level employees can easily be given all the access they need with the help of security groups and proper permission settings.

Who Should Get Domain Admin Control?

Domain Admin level accounts should always meet these four requirements:

  • They are unique to the user
  • They are not the user’s primary account
  • The user is fully trusted by the company
  • The user absolutely requires this access to fulfill their job duties

If these four conditions are not met, the user should be assigned to an appropriate security group and the group access given to the required folder.

Why Restrict Domain Admin Control?

Failure to control admin access can have devastating results. First, if someone falls prey to phishing or other malware, the attacker now has every bit of access that the user’s account has.

Second, admins can access any file and change folder-level permissions. You don’t want just anyone being able to see Human Resources data, payroll data, or employees’ personal information; much less reading everyone’s email.

Finally, one of the biggest threats of unchecked admin access is that the user can easily make mistakes that destroy the entire network. Not all security breaches are malicious. A single person clicking the wrong thing can open massive holes in your security.

For questions regarding IT Security, call the team at ACCi 205-987-8711. We are here to help!