Most of us know what an Administrator profile is, as well as a general User profile when it comes to our PC. Admins are liken to God and Users are liken to the general populous.
But what about Domain Administrator Accounts, Domain User Accounts, or Local Groups? There are many other different types of profiles that offer varying levels of access to computers, servers and network settings. Understanding the precise capabilities of each is important to maintaining network security and ensuring that everyone can access the areas they need to in order to do their job.
Here we take a look at some of the most common, and most misunderstood, user profile settings.
Who should be an Administrator on your network?
No normal user accounts should have Administrator access to your network. Users that have Administrator access as part of their normal user account could inadvertently cause a lot of damage if (for example) they are infected by a virus that deletes data.
A Windows network normally has a “Windows Active Directory Domain” which contains user accounts, and manages the permissions for each user as they log onto the network.
If a user requires special permissions, they should be given details of an Administrator account that has the required level of access.
Domain Administrator Accounts
To allow users to carry out administrative tasks, special Administrator accounts should be created with a suitable level of network access, and the credentials should be given to the users that require occasional Administrator access. A typical user name for an Administrator account is... Administrator! Go figure.
Note that it is considered to be a good idea to disable the default built-in Administrator account and create another Administrator account with a different name. For example, NetworkAdmin.
Administrator accounts are used by users to carry out tasks that require special permissions, such as installing software or renaming a computer.
These Administrator accounts should be regularly audited – this should include a password change, and confirmation of who has access to these accounts.
Windows Domain Administrator Groups
On a Windows network, there are several Security Groups that have high levels of access to various parts of the network. These groups should be audited regularly to ensure that there are no normal users as members, only Administrators. The default groups are:
There may be other groups with high levels of access that have been manually created. These should be documented and added to the auditing process.
Domain Service Accounts
There is another type of user account that has special access to parts of your network – the Service Account. Service Accounts are user accounts that are used by software (normally on a server) to carry out automated tasks such as running backups, or managing your anti-virus administration. These services should never be set up to use Administrator account credentials – there should be at least one dedicated Service Account on your network.
Domain Guest Accounts
Windows has a default guest account called Guest. These guest accounts are the first port of call for criminal hackers and should be immediately and permanently disabled. If a guest account is required, it should not have an obvious name such as Guest.
Domain User Accounts
These are the normal user accounts that are used by staff in their day-to-day work to log onto a computer and do their normal work. They should not have any special permissions that could potentially lead to damage or data loss. These user accounts are normally members of a Security Group called Domain Users.
In some cases, it is necessary to grant special or administrative permissions to users. This should be restricted to Local Admin access (they are Administrators only on their own computers, and not on the Domain).
These are similar to Domain accounts, but are limited to local access only. Local access can be to a computer or a server. Local accounts can be Administrator accounts, normal user accounts, and Guest accounts. The built-in Administrator and Guest user accounts should always be disabled on workstations, and the built-in Guest user accounts should always be disabled on servers.
On computers and servers, there is a default Security Group called Administrators. Membership of this group should be limited to a domain group called Domain Admins.
For help on creating user profiles or groups correctly, or on network security, give us a call and one of our trusted engineers will be happy to help. 020 8875 7676