Administrator accounts have tremendous power.  Beyond server and domain administrators, we must consider service accounts, workstation local administrators, and network appliance administrator accounts.  A full, accurate, and current inventory of these accounts, who has access to them, and that they match the roles enabled is critical.  Auditing and logging are essential.  Avoiding generic administrator accounts is crucial.  Implementing control over administrator accounts must have management support but can create a political firestorm.  Use groups to assign privileges and audit these delegations regularly.  Engage change management before making elevated account changes.  Used incorrectly or maliciously, administrator accounts can have catastrophic consequences.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s