Sense and Sensibility-ness-ing-ly

WARNING: Geek goggles on.

Been dropped into a project at work to find a web-based active directory management tool that would allow one of the teams here to be able to modify the attributes of people's accuonts (change passwords, group memberships, etc) without needing domain administrator access to do so.

I am a FIRM believer of people operating on a work network with the least privileges they need to do their job. This includes not dishing out local administrator access to anyone/everyone... on the whole, few people need local admin to perform their day to day jobs (and then they mostly only need it because of poorly written software). So this is right up my alley. It's a difficult thing to introduce to an existing network, as often a lot of people have more access than they need, or hang-over local admin access, or even domain admin access where it isn't really required. Subsequently, you get (bare minumum) a lot of complaints when this is implemented to the other extreme of a lot of resistance because (for some untangible reason) "I need that access".

I've struggled through these situations before. No matter how much education, no matter how much reasoning, no matter how much telling it straight, people take it as a personal affront and interpret it as a lack of trust when you want to pare down their access to least privilege. From my perspective in doing this am I suggesting that the person(s) in question cannot do their job. Far from it. The basic underlying principle for employing this methodology is SECURITY (particularly in relation to people having local and domain admin access).

At a local machine level, having local admin privileges allows you to install software. This can be good in terms of "I want to install my home printer on my laptop so I can print out there" or "I want to install my digital camera software to get photos off", but you have to be careful. What is the policy of the company with regard to such software? What is the impact to the local machine if such software is installed? Many might think there is little effect to your machine if such software is installed, but it can cause chaos for that machine (the number of times I have had to reimage machines because of incorrectly installed/'failed at install' software... I tell you what...), rendering it unusable and unsupportable in its current state. Additionally, if that person's account is compromised and/or a virus is released on their laptop, if they have local admin access to their machine then the damage can be significant - not only to their machine, but to the network (as the payload can often use/implement services on the machine which can allow it access to the wider network).

Having domain administrator access is the same, but at a much bigger scale. In layman's terms, anyone who knows the domain administrator password or has domain administrator access is effectively 'god' on that network. They can DO anything, SEE anything, CHANGE anything, DELETE anything... and, as you'd expect, this can lead to complete disaster. I have heard of situations where "someone changed something thinking it wouldn't hurt" that lead to a nasty almost complete restore/rebuild of the network/server. People who play on servers should only have the privilege to change what they need to change, do what they need to do. Anything more than that is open to disaster - again it is not a trust issue, rather a competency one. As a wise man once told me - "If you employ people, you inherently trust them. It's up to them to prove their competency. If you don't trust them then you have a whole other issue to deal with."

Guide junior technical people into a position of competency through supervised tasks to ensure you are confident they can do what they need to do if they are getting greater access. NEVER work in a day to day basis with domain administrator privileges on your "normal" account. Conveniently there ARE ways to set up every person who needs access with the specific access they require, rather than just giving them carte blanche at your precious servers and network. On a day to day basis, no matter what size your enterprise (5 people or 5,000 people), there is no reason more than 6 people should have domain administrator access or know the domain administrator password. It just opens a security hole into your organisation that is difficult to plug after the fact. And, let's face it, you don't want to be explaining this concept to your employer AFTER somebody has screwed up your network and caused significant downtime or compromised sensitive data - that might be the last conversation you have with that employer...

So - next time your 'network nazi' suggests that maybe you don't need that higher level access and that their are ways around it so that you can still get to the data/access the functions you need... trust them. They are just trying to keep the company secure and, ultimately, you in a job.

OK... there, I've ranted... Geek goggles off again now...