[Samba] AD User with Domain Admin
Marco Gaiarin
gaio at sv.lnf.it
Fri Dec 4 16:40:19 UTC 2020
Mandi! L.P.H. van Belle via samba
In chel di` si favelave...
> This is/should be "comon" knowledge/sence.. Really (not offending here) ..
I know it is a better thng, simply i'm normally use linux (with sudo)
and so effectively i run my windows account only for administrative
tasks. ;-)
> And even on home pc's i set things like this where i can.
> https://www.lepide.com/blog/top-10-most-important-group-policy-settings-for-preventing-security-breaches/
>
> Now, on the question "is there any official statement"
> There is this :
> https://docs.microsoft.com/en-us/services-hub/health/remediation-steps-ad/review-and-reduce-the-number-of-accounts-in-highly-privileged-administrative-groups
Mandi! Robert Marcano via samba
In chel di` si favelave...
> L.P.H. van Belle added a link to another more concise page, but I usually
> point customers to [1] when they start asking to be Domain Admins all the
> time. It is a longer read that includes more than the reduction or
> protection of accounts inside the Domain Admins group.
> https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory
Starting from your link i've found:
https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access
https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#separate-administrative-accounts
where the statement is clear:
Separate administrative accounts
All personnel that are authorized to possess administrative privileges must have separate accounts for administrative functions that are distinct from user accounts.
Standard user accounts - Granted standard user privileges for standard user tasks, such as email, web browsing, and using line-of-business applications. These accounts should not be granted administrative privileges.
Administrative accounts - Separate accounts created for personnel who are assigned the appropriate administrative privileges. An administrator who is required to manage assets in each Tier should have a separate account for each Tier. These accounts should have no access to email or the public Internet.
Ah, these inferior OSes that does not have sudo... ;-)
But seems they are working on something similar...
https://github.com/PowerShell/JEA
Thanks to all.
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/
Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
More information about the samba
mailing list