Good Practice for admin logons 1

[kathanon]

I would appreciate some views on whether it is good practice to do day to day work logged on as administrator. I am just thinking about what could happen if browsing etc with admin priviledges and inadvertantly downloading malicious code and so on. I would like to find a balance between paranoia and security (if such a thing is possible). I have stopped logging on with the administrator account and it is a bit impractical in lots of ways, even as a local power user and using the "run as" command. I wondered what other people do.

Cheers

Kathy

 

[op2918]

Hi,

I think it is a good practice to keep seperate logons

 

[FilthPig]

I do enough during the day that requires me to be a domain admin that I stay logged in as a domain admin. Make sure your systems are patched and be careful about websites you visit, and e-mails you open. In most cases you can tell if an e-mail looks suspect just from the sender/title.

Rename your administrator account. Also make sure that the password can't be found in any dictionary. Make a seperate login for yourself that has domain admin privileges.

Avoid doing your work at the server whenever possible. Install admin tools on a workstation and use that instead. Terminal Services, VNC, PCAnywhere, etc are good for when you need to use the console.

Make sure your servers & any workstation you log into (as an account with administrator privileges) have password protected screen savers and short wait times. Marc Creviere

 

[kathanon]

Thank you Marc,

That is really helpful. I will create another log in with admin priviledges and use that when necessary. I will keep my power user account for normal day to day things on the local machine and there is always the "run as" function. I don't do much work at the server only things like adding users etc and reconfiguring mail settings. I can check event logs etc from my own pc and use VNC for other stuff.

There is no e mail program running on the server, but sometimes I do browse from there logged in as administrator, which maybe isn't such a good idea. The server has a short screen saver setting and then it is password protected. I did try to rename the administrator account but stopped out when it gave me a warning about certain things not running if the account was renamed, so I left it as it, we have a strong non dictionary password too.

Kathy

 

[GlenJohnson]

It's a bit different for me. We have several people who are in the department and have admin access to the servers. We logon as our own username and password and have admin rites. This way, if somebody goofs up, we know who did it and can ask them what they did. Also, renamed the admin account, created a new admin account with limited privelages. Somebody manages to hack us, the first thing they'll go for is the admin account, and they won't be able to do squat. Glen A. Johnson
Microsoft Certified Professional
gjohn76351@msn.com
"Divide each difficulty into as many parts as is feasible and necessary to resolve it."
René Descartes (1596-1650); French philosopher

 

[kathanon]

Thanks Glen

What else will I need to change if I change the admin account name? When I tried it I got a warning about services not running, so am assuming that some things must run using that account, that I might also need to change. Is that true? Backup already stopped running for a while when I only changed the admin password, so I changed it back. Also I can't help wondering a bit if I am taking a sledge hammer to crack a nut with all my security tweaks, there are only 13-15 of us on the network, but I do want the system to be secure.

Kathy

 

[GlenJohnson]

If there's only a few of you, I wouldn't worry about it. If you are the only one accessing the server, enable a screen saver and check the use password protect. Set the time for the screen saver to an amount that won't annoy you, (Don't set it for 1 minute), so that when the screen saver kicks in, you need the admin password to access it or give it the 3 finger salute and lock the server when you leave. That way nobody that shouldn't get into it can't. Make sure you have all the patches needed for security and check your logs ocassionaly to make sure nobody is trying to hack you. Your'e right, you don't need a sledge hammer in your case. (We have 7 servers, with 6 IT people accessing them.) Glen A. Johnson
Microsoft Certified Professional
gjohn76351@msn.com
"Divide each difficulty into as many parts as is feasible and necessary to resolve it."
René Descartes (1596-1650); French philosopher

 

[kathanon]

Many thanks for all the help guys. This is such a good site. I am studying for an MCSA and looking after a network, being able to ask questions and learn stuff here is brilliant.

Kathy

 

[zoeythecat]

Keep in mind though that screen savers can cause performance problems on a server and uses memory. Just as long as you are carful about locking your workstation and logging off the server than you should be ok. You need to find out what programs you use (like your Backup Program). When you change the admin password you will need to change it in this program as well. If you have Exchange Server you will need to change the passwords here too. Otherwise, don't change the password but just make sure you log off or lock the workstation and you should be ok.