Pub. 10 2019 Issue 1

www.wvbankers.org 12 West Virginia Banker Domain Administrators – Is This Level of Access Necessary? By Trista Cline, Arnett Carbis Toothman, LLP I f you are involved in the Information Technology side of your financial institution, you will have reviewed or discussed network user accounts with domain administrative privileges. You may have identified a few service accounts and vendors that have domain administrative privileges. Domain Admin- istrators are network users who are mem- bers of the Domain Administrator group. These members are administrators on all machines of the domain. As a result, Domain Administrators have privilege ac- cess on the domain and the assignment of that privilege should be limited to those services and users who require the access. The default built-in administrator account is a member of this group and it is best practice to disable this account. A best practice is to create another administrator account with a different name. Considering the privilege access, financial institution management should exercise caution when adding users to the Domain Administrator group. One of the first questions that should be considered when assigning a user or a service account Domain Administrator rights is, do they truly need to have this level of access? Most of the time a user or service account may only need to have administrative privileges to a spe- cific workstation or server, not to the en- tire domain. If caution is not exercised, some unintended results could occur. Some of the bigger mistakes with the utili- zation of privileged user accounts follow: 1. Using accounts with administrator rights for everyday use. The reason accounts with administrator rights should not be used for everyday use is to avoid security breaches such as a spear phishing attack or malware in- jection while logged into the account with elevated credentials. 2. Adding users to Domain Adminis- trator group instead of delegat- ing access. Consider a delegated active directory security model, especially for common administra- tive tasks such as unlocking accounts and resetting passwords. 3. Having poor backup or recovery plans. Ensure you have a plan when it comes to recovering active di- rectory objects in the event of unau- thorized deletions and/or changes. 4. Not terminating stale accounts including Domain Administrators. Stale accounts should be disabled and then deleted so that they are unable to be used maliciously. 5. Having poor password policies in place. Ensure that password policies are compliant with best practices such as the following: a. Never set a user’s password to “never expire”. b. Ensure service accounts passwords that do not expire per group policy are changed on a regular basis.