Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Administrator Permissions - Best Practice

Status
Not open for further replies.
mmorgensen

mmorgensen

MIS
Jun 26, 2002
58
0
0
US
I have a 'best practice' question.

Should an network administrator / MIS Staff on a large network be assigned a day-to-day account with a permission set of a regular user, and a second account with administrator permissions?

So day-to-day I use 'mmorgensen' but when I need to do admin functions I issue a run-as or login with 'mmorgensen-admin'.

Thanks!!

 
Sort by date Sort by votes
Sounds like extra work to me. What would be the purpose of having an account with fewer privileges when you have access to an account with admin privileges? From a security standpoint that would make no sense. In terms of security I think it would be better to create an account and customize the permissions to grant exactly what permissions are needed to get the job done.

- Zoe, that's ZOH-EEE, get it right please
- Just a little ol' MCP at Solien Technology
-
 
Upvote 0 Downvote
I disagree I believe its a very good practice.

The adminstrator account should be used to administer the network, for general usage (ie. writing word docs, reading/writing emails) use a standard account.

Accidently catching a virus, running a trojan, accidental clicking can be very dangerous on a administrator account.





 
Upvote 0 Downvote
Good point, I was thinking from an end-user perspective. Forgot about external factors!

- Zoe, that's ZOH-EEE, get it right please
- Just a little ol' MCP at Solien Technology
-
 
Upvote 0 Downvote
I used to have my regular user account in the Domain Admins group. I hate to admit it, but I would on occasion wander off and fail to lock the workstation I was at or log off. After the third time, I removed myself from the admin group and just use run-as when I need to do so.

Regards,

z.
 
Upvote 0 Downvote
ashpp nails this issue well. If something goes wrong and you are logged on with administrator rights, the potential to do harm can be quite severe.

With windows 2000, you have the run-as command you could use with an admin account though I do find it is a bit finicky when you have mapped drives to a server with your normal user credentials. Still, you do have terminal services and adminpak as well which allows you do to all your admin work at your workstation with 2 different userIds quite easily. It is less hassle now i Win2k than in the days of Nt 4.

as zaicik mentioned, leaving your workstation unlocked is a major security risk. I have worked in a company which got audited many times a year due to the type of work it was involved in. If they discovered an administrator's workstation unsecured, that company could potentially have lost millions in the failed audit due to the potential that research data may have been compromised while the admin was not at his workstation.



Claudius (What certifications??)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

maybeimaleo
  • Locked
  • Question
Is There a Best Windows OS to Upgrade a CA Server to?
Replies
5
Views
85
maybeimaleo
maybeimaleo
goombawaho
  • Locked
  • Question
Continuous RDP disconnection/reconnection for administrator user
Replies
5
Views
73
goombawaho
goombawaho
kurio71
  • Locked
  • Question
Clean Install of 2016 - NTFS permissions
Replies
1
Views
46
hairlessupportmonkey
hairlessupportmonkey
gbaughma
  • Locked
  • Question
Shared folder permissions
Replies
0
Views
25
gbaughma
gbaughma
Mindly
  • Locked
  • Question
Can't log into SBS 2011 server with accounts that have administrator priviledges
Replies
0
Views
36
Mindly
Mindly

Part and Inventory Search

Sponsor

Back
Top