How do you do Escalation?
-
In a Windows AD environment where you have a larger group of people who are administrators what is the best practice for handling privilege escalation? If you put everyone who would need to be an administrator in the Administrators group, then you expose more of a threat to email and browser attacks because they are running as Domain Admin for daily tasks. If you lock them down to just users, then give them a single Administrator Credential everyone knows the password too to escalate when needed, you give them anonymity within the network and lose personal logging. The only other way would be give each power user 2 accounts 1 user, and 1 admin, but that doesn't seem like the best answer either. What is the norm out in the business world?
-
@s-hackleman I have a user account and an admin account.
-
Always two accounts, same as with UNIX. The two account system has always been the best practice.
-
Delegate privileges is another best practice too.
-
My standard login for work cant login to servers.
I have a Domain Admin account using a fake name for administration.
Some people use a convention like momurda-admin for account name
I just use a real sounding fake name like Harry Smith. -
My normal account isn't an admin, I always have two accounts for myself.
-
So 2 accounts it is. I have always been in enviroments where there was only 1-2 admins so I wasn't sure. Thanks guys.
-
@s-hackleman said in How do you do Escalation?:
So 2 accounts it is. I have always been in enviroments where there was only 1-2 admins so I wasn't sure. Thanks guys.
Makes it easier to track and limit as well.
-
I use Tower. I can't do elevated commands on a machine directly, and can't directly log into a server at all. There is a CM user and everything that is run is also logged in Tower.
-
@s-hackleman said in How do you do Escalation?:
So 2 accounts it is. I have always been in enviroments where there was only 1-2 admins so I wasn't sure. Thanks guys.
Also look in to JEA. Better for larger groups. (in addition to two accounts)
