Ce site est optimisé pour être consulté depuis un navigateur moderne dans lequel JavaScript est activé.

Est-il recommandé d'avoir un identifiant de connexion séparé pour les admins de domaine ?

ayi

I typically like to set up separate logins for myself, one avec regular user permissions, et a separate one for administrative tasks. Par exemple, si le domain was XXXX, J'aimerais set up a XXXX\bpeikes et a XXXX\adminbp account. J'ai toujours done it parce que frankly Je ne trust myself to be logged in as an adminstrator, mais in chaque place that J'ai worked, le system administrators seem to juste add leur usual accounts to le Domain Admins group.

Are there tout best practices? J'ai seen an article depuis MS qui does appear to say that you should use Run As, et pas login as an admin, mais they ne give an example of an implementation et J'ai jamais seen anyone else do it.

ayi

"Best Practice" typically dictates LPU (least privileged user)...but you are correct (as is ETL et Joe so +1) that people rarely follow this model.

Most recommendations are to do as you say...create 2 accounts et pas share those accounts avec others. One account ne devrait pas have admin rights on even le local workstation you are using in theory, mais again who follows that rule, especially avec UAC these days (which in theory should be enabled).

Il y a multiple factors in why you want to go this route though. Vous avez to factor security, convenience, corp policy, regulatory restrictions (if any), risk, etc.

Keeping le Domain Admins et Administrators domain level groups nice et clean avec minimal accounts is toujours a good idea. But ne simply share common domain admin accounts si you can avoid it. Otherwise il y a a risk of someone doing something et alors finger pointing entre sysadmins of "it n'était pas me that used that account". Better to have individual accounts ou use something like CyberArk EPA to audit it correctly.

Also on these lines, votre Schema Admins group should toujours be EMPTY sauf si you are making a change to le schema et alors you put le account in, make le change, et supprimez le account. The même could be said for Enterprise Admins especially in a single domain model.

Vous devriez aussi NOT allow privileged accounts to VPN into le network. Use a normal account et alors elevate as requis once inside.

Finally, you should use SCOM ou Netwrix ou certains autre method for auditing tout privileged group et notify le approprié group in IT whenever tout of these group's members have changed. Cela va give you a heads up to say "wait a minute, why is so et so suddenly a Domain Admin?" etc.

At le end of le day il y a a reason c'est called "Best Practice" et pas "Only Practice"...there are acceptable choices made by IT groups based on leur own needs et philosophies on this. Some (like Joe said) are simply lazy...while others simply ne care parce que they ne sont pas interested in plugging one security hole quand there are hundreds déjà et daily fires to fight. Cependant, now that you've read tous of this, consider yourself one of le ones that will fight le good fight et do what you can to keep things secure. 🙂

References:

http://www.microsoft.com/en-us/download/details.aspx?id=4868

http://technet.microsoft.com/en-us/library/cc700846.aspx

http://technet.microsoft.com/en-us/library/bb456992.aspx