Theme

Welcome · log in · join

Forums → Broadband and Networking →

Networking → Re: Odd issue has been happening/question at end.

uniqs
7

« [Windows] LAN file transfer very slow between two PCs • CompTIA Network + »

This is a sub-selection from Odd issue has been happening/question at end.

kevinds Premium Member join:2003-05-01 Calgary, AB	kevinds to onebadmofo Premium Member 2019-Mar-12 1:49 pm to onebadmofo Re: Odd issue has been happening/question at end. said by onebadmofo: for example, everyone of us has admin access to the AD, DHCP server, Group Policies, domain server, exchange server, sharepoint server, etc. etc. And from what I understand, that's pretty odd. That is a disaster waiting to happen.. Been there, fixed that more than once..
	· actions · 2019-Mar-12 1:49 pm ·
onebadmofo gat gnitsoP Premium Member join:2002-03-30 Pennsylvania	onebadmofo Premium Member 2019-Mar-12 2:30 pm said by kevinds: said by onebadmofo: for example, everyone of us has admin access to the AD, DHCP server, Group Policies, domain server, exchange server, sharepoint server, etc. etc. And from what I understand, that's pretty odd. That is a disaster waiting to happen.. Been there, fixed that more than once.. I guess they look at it this way... they always have a contingency plan for the event that someone has off. Meaning everyone knows how to do it, but not every one WILL be doing it. And being that the company is super flexible with people being able to work from home and accumulate a shit ton of vacation and sick time, it seems to work. For example I have 940 sick time hours and 576 hours of vacation time. The thing is no one does anything without communicating it first to everyone else. And then one person will take care of it. And that is usually an IT admin or the director.
	· actions · 2019-Mar-12 2:30 pm ·
kevinds Premium Member join:2003-05-01 Calgary, AB	kevinds Premium Member 2019-Mar-12 3:19 pm said by onebadmofo: The thing is no one does anything without communicating it first to everyone else. And then one person will take care of it. And that is usually an IT admin or the director. Malware though.. If malware infects a normal user, at most, their profile on that computers gets messed up.. An domain admin account gets the malware, it can infect the entire workstation and all the other computers too, at the admin level.. RAT, keyloggers..
	· actions · 2019-Mar-12 3:19 pm ·
DarkLogix Texan and Proud Premium Member join:2008-10-23 Baytown, TX	DarkLogix Premium Member 2019-Mar-12 3:58 pm said by kevinds: An domain admin account gets the malware, it can infect the entire workstation and all the other computers too, at the admin level.. RAT, keyloggers.. And if an Enterprise Admin gets hit then the whole forest is vulnerable. (though if it's a single domain forest it doesn't make much difference from domain to enterprise admin, though there would still be a few things a domain admin can't do that an Enterprise admin can.) Then there's Schema Admin, that one is rarely needed so the best practice is as a domain admin only grant it to yourself when really needed. (IE schema prep or custom Schema extensions.) Sure a Domain or Enterprise admin can grant it to them selves, but some of the things that only a Schema admin can do must also be done on the Schema Master and that can mean waiting on AD replication after granting the group membership. BTW for the most secure AD forests you wouldn't use any of the built in Admin groups. I've read some white papers on it, and honestly doing what they suggest is a PITA. But those whitepapers suggest creating more granular admin groups, and getting to the admin structure they suggest requires some deep AD modification.
	· actions · 2019-Mar-12 3:58 pm ·
kevinds Premium Member join:2003-05-01 Calgary, AB 2 edits	kevinds Premium Member 2019-Mar-12 4:52 pm said by DarkLogix: And if an Enterprise Admin gets hit then the whole forest is vulnerable. (though if it's a single domain forest it doesn't make much difference from domain to enterprise admin, though there would still be a few things a domain admin can't do that an Enterprise admin can.) Then there's Schema Admin, that one is rarely needed so the best practice is as a domain admin only grant it to yourself when really needed. (IE schema prep or custom Schema extensions.) Sure a Domain or Enterprise admin can grant it to them selves, but some of the things that only a Schema admin can do must also be done on the Schema Master and that can mean waiting on AD replication after granting the group membership. BTW for the most secure AD forests you wouldn't use any of the built in Admin groups. I've read some white papers on it, and honestly doing what they suggest is a PITA. But those whitepapers suggest creating more granular admin groups, and getting to the admin structure they suggest requires some deep AD modification. I agree with you on all points. I was trying to give a simpler explanation on why 'everyone as AD admin' is a very bad idea, even if it works and there are "good" reasons why they do it that way..
	· actions · 2019-Mar-12 4:52 pm ·

Forums → Broadband and Networking → Networking	« [Windows] LAN file transfer very slow between two PCs • CompTIA Network + »
This is a sub-selection from Odd issue has been happening/question at end.