Remove admin rights from IT Administrators?

[swaitch]

I was just hired as an info security analyst for a mid-sized organization. I found that they decided to remove admin rights recently from their IT Administrators on workstations. Their logic in doing this was that they would then only have one administrator account to worry about. This does however create headaches when doing minor network changes on my own device, or one I am logged into, for example.

What is your take on this?
Would you be more concerned about having 1 administrator login shared among multiple technicians/administrators?

I have heard more noise concerning shared logins lately but wanted to get your take or advice. Thanks!

 

[carnageX]

The way it was setup at the previous place I worked, is we had domain-controlled permissions for all accounts. IT had higher permissions than other groups - but still some restrictions on what we could do. We also had a single Local Admin account on the systems, that had a single known password on them (updated through group policy once every few months) if we needed to use it for something. That was when I was in IT.

The place I work at now, as a software developer, is different (for developers at least). We used to have admin permissions on our AD accounts - but they decided that was a security risk, so they took those away. Originally we weren't going to have any, but we made a compromise and they setup a local Admin account on all of the machines via group policy for us - which still gives network issues, but there's ways around that (i.e. mapping network shares as drives under the admin account, using network account credentials).

 

[1etherer]

We have the same setup Carange had in his last role, we also have a local tempadmin account thats rolled out via GP incase we need a remote user to access their machine when they are having domain login issues (it gets reset the moment they login).

 

[Lexluethar]

Very bad idea IMO.

Why? With one admin account how do you audit who made the changes? The admin that is assigned to half a dozen people? This won't fly with a lot of audit companies and if you have to follow any regulatory rules this is very bad. How to you administer password changes? You probably don't which is another huge flaw because you have to tell 12 other people that admin password. Avoid this at all costs, do not have one admin account!

The fix is to have every person that requires an admin account to have an admin account that they manage in addition to their standard account. Their admin and standard accounts are completely separate. Admin accounts have local admin rights and have a completely separate login and AD object. In fact to ensure people don't use the admin account for their standard login we won't allow Exchange and other 'desktop' items to work unless they are under their standard account. Things like file shares aren't mapped to admin accounts (you can use the UNC but it won't auto map for you) as well.

You can now audit security logs and know who made the changes and still allow admins to do admin work that needs to be done. You may get a little flack because people won't like having to log off and back on to do admin work, but for security and auditing it's best practice to have the two accounts separate. If they are worth their weight in salt as an admin you can run other tools under your admin account while logged in. IE I can run an MMC snapin which has all of my tools and do a 'run as' which allows me to enter my admin creds.

Did i say sharing an account would be a bad idea?