Stories by Roger Grimes

Opinion: How many enterprise admins is too many?

I'm often asked how many enterprise admins — the most privileged users on a Windows network — a company should have. The answer is straightforward enough: the bare minimum. Doling out that type of power willy-nilly is a great way to expose your systems to attacks. In fact, the No. 1 way to minimise overall security risk is to minimize the number of enterprise admins you have and how often they need to logon.
The specific number depends on the operational needs and business strategies of each environment, but as a best practice, two or three is probably a good amount. At some companies, I've seen anywhere from several dozen to over a hundred, which is far too many. Many organisations simply add every administrator and help desk technician to the enterprise admins group to make it easy for them to fix and configure the computers they need to administer. These employees use their enterprise admin accounts to manage the network, as well as to pick up email and surf the web. Hackers love that.
Not only should enterprise admin rights be handed out with care, they should be used with discretion. Such accounts should only be used for tasks that span multiple Active Directory domains, and for activities that require that sort of elevated membership, as many network configuration items do. Enterprise admins should not be logged on for surfing the web, picking up email, or any other task that doesn't require enterprise admin abilities.
In most cases, admins can be instead added to the Domain Admins group — which, coincidentally, needs to be protected nearly as much as Enterprise Admins. Alternatively, you can use Active Directory delegation. Need to manage all the users in a forest? Use the Active Directory delegation. Need to have full control over every file, folder, and registry key on a server? Again, try Active Directory delegation. I'm hard-pressed to find scenarios where delegation doesn't work better than assigning dozens of users into the enterprise admins group.
There is a downside to Active Directory delegation: It's difficult to audit. Delegation creates granular security permissions that are difficult to collect across the enterprise unless you run auditing tools on every forest-joined computer. That's a big problem, but I prefer it over granting a user full control over every asset and object in a forest by default.
Minimizing the number of highly privileged admin accounts takes you halfway toward decreasing security risk, but it's not the only thing that matters. Among other recommendations, all admin user accounts should have long passwords, 15 characters or more. This disables the easy-to-break password hashes (e.g. LANMan) and prevents password guessing. Passwords should be changed on a regular basis; every 90 days is a good period of time, although I'm willing to go even longer with 15-character passwords — so 180 days isn't out of the question. Your audits might flag a lengthier setting.
Grimes is a security consultant in the US