IT Security: Firewalls, Active Directory Control, and Admin Level Privileges
Firewalls may be “king” when it comes to establishing a good perimeter defense, but Your Active Directory server is the heart and soul of your networking system. The Active Directory server acts as a centralized management point for a vast number of system controls. Some of these controls include user accounts, security groups, and group policy objects just to name a few. In order to keep things nice and secure, we need to make sure that not just anyone has access to these controls. With this in mind, we should address a big issue with a lot of the networks: admin level privileges.
One of the most common issues with Active Directory security are administrator level accounts. Domain Administrators not only have the power to see everything on the network, but also to make almost any changes they want. While many business owners will think that they require this level of control, to be perfectly honest, they do not. Furthermore, by having this level of access they are actively risking their entire network. Human Resources and C-level employees can easily be given all the access they need with the help of security groups and proper permission settings.
Who Should Get Domain Admin Control?
Domain Admin level accounts should always meet these four requirements:
- They are unique to the user
- They are not the user’s primary account
- The user is fully trusted by the company
- The user absolutely requires this access to fulfill their job duties
If these four conditions are not met, the user should be assigned to an appropriate security group and the group access is given to the required folder.
Why Restrict Domain Admin Control?
Failure to control admin access can have devastating results. First, if someone falls prey to phishing or other malware, the attacker now has every bit of access that the user’s account has.
Second, admins can access any file. They can change permissions on folders. You don’t want just anyone being able to see Human Resources data, payroll data, or employee’s personal information; much less reading everyone’s email.
Finally, one of the biggest threats of unchecked admin access is that the user can easily make mistakes that destroy the entire network. Not all security breaches are malicious. A single person clicking the wrong thing can open massive holes in your security.
For questions regarding IT Security, call the team at ACCi 205-987-8711. We are here to help!