Absolute Power: Controlling the Risk of Domain Admins
Upcoming Live Webcast
9/21/2010 11:00:00 AM EST
One of my frequent consulting activities is performing audits of Active Directory for corporate Internal Audit departments and hardly an audit has gone by where I wasn’t obligated to bring to Board’s attention the number of all-powerful administrators present in Active Directory. This is a real risk that has to be addressed. With an infrastructure security technology like Active Directory you can’t have scores of people with admin authority. There’s just too much room for mistakes and malicious acts. And the worst does happen – I’m sure you’ve heard the horror stories.
I’ve long preached about Active Directory’s built-in delegation of control feature that allows you to follow least privilege within the IT department. In this webinar I will show you how to get the majority of people out of the Domain Admins group and grant them just the granular authority they actually need.
I will also show how can audit both the delegation of admin authority as well as the use of admin authority. What I mean is using the security log to monitor when you make Bob an admin/subadmin as well as when Bob uses that authority to do something like creating a new user account.
Then I’ll look at ways to ensure that emergencies can still be handled after removing basically everyone from the domain admins group.
Even with all these capabilities though I find that many companies fail to secure admin authority and implement least privilege. Plus I find so many IT departments where admins are wasting time doing the basically clerical tasks of carrying out the menial and repetitive access control and account management changes already initiated and approved by managers and the HR department. With that in mind you will be interested in seeing how this webinar’s sponsor, Quest, can take you beyond the capabilities I demonstrate and make it so easy and manageable to follow least privilege and reduce IT staff workload through self-service and automation. So you’ll see how you can solve these problems using native AD functionality and then how to take it to the next level.
