|
Posted by Alan on September 13, 2007, 12:04 pm
Please log in for more thread options
Hello,
I am the odd man out on my team when it comes to the discussion of, "whether
or not Application owners should have Local Admin abilities on production
servers." I am very strong in my opinion that this is not a good idea, but
have been unsuccesful in convincing my team. What I am looking for is some
form of best practices documentation, or personal experiences. I would like
to leverage this information as not only the reasoning behind restricting
this access (common sense to me), but also provide a real-world solution
besides giving them full access. I appreciate any assistance.
Thanks.
Alan
|
|
Posted by jwgoerlich on September 14, 2007, 12:43 pm
Please log in for more thread options
Separation of duties and principle of least privilege are two of the
basic Infosec rules. These rules may be enforced by regulation,
depending upon your country and industry.
The former is easy to answer. Generally speaking, infrastructure
personnel should not have elevated access to the application, and
application owners should not have elevated access to the system. The
latter is requires a different tact.
Rather than asking if Application owners require Local Admin access, I
would ask what specific access Application owners require to perform
their duties. This list is much smaller and in most cases can be
granted to users who are not members of the Administrators group.
The companies that I work with generally grant Application owners the
ability to RDP into the server, stop and start application-specific
services, manage specific NTFS folders, and manage scheduled tasks.
This is a real-world solution. All of these can be granted. Your list
may differ, of course, but this line of questioning may yield a more
secure system.
Regards,
J Wolfgang Goerlich
show/hide quoted text
> Hello,
> I am the odd man out on my team when it comes to the discussion of, "whether
> or not Application owners should have Local Admin abilities on production
> servers." I am very strong in my opinion that this is not a good idea, but
> have been unsuccesful in convincing my team. What I am looking for is some
> form of best practices documentation, or personal experiences. I would like
> to leverage this information as not only the reasoning behind restricting
> this access (common sense to me), but also provide a real-world solution
> besides giving them full access. I appreciate any assistance.
> Thanks.
> Alan
|
|
Posted by Roger Abell [MVP] on September 14, 2007, 5:50 pm
Please log in for more thread options You may not find a doc that reasons it out in detail for you,
mostly because it is such a basic principal. You could ask,
as admins what kinds of things can they do, that they do not
need to do, that they should not do, and, can we trust then
not to do them ? For most applications, services, etc. the
list is long. (shut down the machine, format the drive, change
the ips, implant software, look at anything, ... )
show/hide quoted text
> Hello,
> I am the odd man out on my team when it comes to the discussion of,
> "whether
> or not Application owners should have Local Admin abilities on production
> servers." I am very strong in my opinion that this is not a good idea,
> but
> have been unsuccesful in convincing my team. What I am looking for is
> some
> form of best practices documentation, or personal experiences. I would
> like
> to leverage this information as not only the reasoning behind restricting
> this access (common sense to me), but also provide a real-world solution
> besides giving them full access. I appreciate any assistance.
> Thanks.
> Alan
|
| Similar Threads | Posted | | There are currently no logon servers available to service the logon request - how to fix this error? i get it when trying to access a share one hop away. | April 12, 2007, 6:03 pm |
| Re: There are currently no logon servers available to service the logon request - how to fix this error? | January 29, 2009, 7:41 pm |
| Re: There are currently no logon servers available to service the logon request - how to fix this error? | November 3, 2009, 10:45 am |
| There are currently no logon servers available to service the logon request | March 30, 2009, 8:26 am |
| Re: Root CA in Production -[WP] | July 1, 2009, 8:47 am |
| Best practices for local admin account on servers? | June 2, 2006, 1:46 pm |
| Best practices regarding anti-virus software on production webserver | September 12, 2007, 12:46 pm |
| Successful Logon to DC local machine | September 11, 2006, 12:31 pm |
| Can't access W2003R2 Servers with RDP via VPN | June 15, 2006, 2:07 pm |
| Logon Script set permissions on local directory | September 7, 2005, 10:27 am |
|
XML Sitemap
> I am the odd man out on my team when it comes to the discussion of, "whether
> or not Application owners should have Local Admin abilities on production
> servers." I am very strong in my opinion that this is not a good idea, but
> have been unsuccesful in convincing my team. What I am looking for is some
> form of best practices documentation, or personal experiences. I would like
> to leverage this information as not only the reasoning behind restricting
> this access (common sense to me), but also provide a real-world solution
> besides giving them full access. I appreciate any assistance.
> Thanks.
> Alan