If your IT department is in the process of moving from the NT 4 platform to Windows 2000, chances are that many of your domain admins will have fewer network privileges under the Windows 2000’s administrative model than they had before.
When that happens, those admins will claim they can’t provide the kind of support to which their users have become accustomed. "I can’t do my job," they’ll say, "unless I can start and stop services and reboot any of the servers my users touch!"
Recently, I saw firsthand how the support side of a large IS department reacted to the way network administrators were assigned privileges under Windows 2000 and Active Directory. If the same kinds of issues arise in your shop, here are some tips for making the IT department happy and keeping your network secure without sacrificing the quality of the support you provide to your end users.
Subscribe to Jeff Davis' Help Desk TechMail and get a bonus of Jeff's picks for the best resources on the Web.
NT security audit results: Too many domain admins
I recently worked as a contract tech writer for the CIO of a government agency, helping to craft responses to issues raised by an internal NT security audit. The auditor summed up his concerns this way: “Too many IT staff members have more privileges than they really need to do their jobs.” Specifically, the auditor found that the IT department had over 160 domain admins who could do almost anything, including start and stop services and reboot servers.
The IT department was in the process of moving to Windows 2000, with expected rollout in the first quarter of 2002. In the response to the audit items, a recurring theme in the support department was "We will resolve this issue under the Windows 2000 administrative model."
In discussing the new administrative model, members of the help desk and network support team identified what they considered to be advantages of the current NT system. These included the following:
- Over 160 domain admins have the ability to correct any problem without engaging other groups.
- Very little coordination between different IT groups is required to correct system failures.
- The domain admins can resolve problems on the "first call," so fewer issues must be escalated to the second and third levels of support.
According to the security auditor, the advantages are outweighed by the disadvantages of security risks posed by having so many domain admins with so many privileges. Facts supporting this side of the argument include:
- Too many people have access to sensitive legal and personnel data.
- Too many people can change domain-wide security policies and can grant privileged access to other users to do the same.
- Too often, domain admins take the easy way out of a problem, by rebooting the server, instead of escalating the problem for research and resolution.
The Windows 2000 administrative model
Under Windows 2000’s Active Directory, the network administrators create new, role-based groups, matching appropriate privileges with the tasks or roles being performed. In this shop, most of the 160 people who were domain admins under NT 4 will assume less-powerful roles, such as administrator or power user, in organizational units (OUs) under Windows 2000. The project lead for the Windows 2000 rollout identified two ways to resolve the security issues without compromising the level of support.
Step 1: Establish baselines of appropriate access
Under Windows 2000, each member of the IT staff (and every end user) will be assigned the right and appropriate level of access required to perform job-related tasks without compromising security. In this case, every enterprise application that ran under NT must go through a test lab before being certified for migration to Windows 2000. The testers challenge every business unit manager and IT support person to prove that they require a particular level of access in order to support the application and its end users.
The support staff was asked to define the tasks or roles needed to perform their jobs—and to identify those roles which require coordination between multiple IT departments—in order to resolve customer issues in a timely manner. In some cases, the "90-10" rule was invoked.
You can sum up the "90-10" rule this way: A person needs one level of access to perform 90 percent of his or her job and needs "super-user" or administrator access to perform the other 10 percent. In most of those cases, rather than grant higher access rights, the decision was made to reassign the other 10 percent of those duties to someone in another group. In many cases, that policy translated into changes in job descriptions. In all cases, that policy means groups within the IT department will work together more often.
Step 2: Identify tasks or roles requiring coordination
The new administrative model creates borders and barriers in the IT department where none existed before. Specifically, some IT staff members discovered there were tasks they could no longer do on their own. Therefore, a number of new policies and procedures were written to help the technical staff know when and how to enlist the assistance of another IT group to resolve a problem.
Keep your eye on the prize
If the majority of your level-one network support people are accustomed to having unlimited powers under NT 4, chances are good they’ll lose some of those powers when you move to Windows 2000. The key to keeping the peace in the IT department is reminding everyone why you’re moving to Windows 2000 in the first place: to increase security on your company network.
How much access do you need?
Has a new administrative model raised support issues for your shop? Post your comments or write to Jeff.