ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: Are there any risks associated with delegating certain account management in Active Directory to contractors?


Member

Posts: 16
Date: May 31, 2012
Are there any risks associated with delegating certain account management in Active Directory to contractors?
Permalink  
 


Hello,

We are working with a vendor to potentially explore the possibility of outsourcing the management of our Active Directory to this vendor.

To begin with, and to get a sense of how things might end up, we were thinking of delegating a few basic account management tasks to IT personnel from this vendor. Nothing fancy - just basic tasks like password resets and ability to enable disabled accounts etc.

Are there any risks associated with delegating these basic account management tasks to these IT personnel, who currently have "contractor" status in our AD?

We don't think there's much to be concerned about, but we aren't experts here (thus exploring the possibility of outsourcing AD management anyway) so thought of asking the question.

Thanks for your suggestions.

John.



__________________


Member

Posts: 9
Date: Jun 29, 2012
RE: Are there any risks associated with delegating certain account management in Active Directory to contractors?
Permalink  
 


John,

There are always risks associated with delegating any aspect of management and account management in Active Directory is no exception.

In your case though, the question is more relevant because you are considering delegating account management to contractors.

In general, the amount of trust imposed in employees tends to be more than that imposed in contractors, even though in most cases, thick SLAs govern the relationship between the company and the contractors.

In this case, the risk depends upon which tasks you are delegating, what accounts you are delegating them on, and how much trust you are able to impose in the contractors.

For example, the risk of delegating password resets on  Executive Accounts (e.g. CEO, CFO etc.) or administrative accounts (e.g. Domain Admin accounts etc.) is much higher than the risk of delegating access on regular employees (e.g. Sales Specialist, Executive Assistant etc.) although even in those cases, there is still something to be lost.

All in all, delegation is a powerful tool if used well, but you must use it well, and always know who you have delegated what access to.

I hope my thoughts help, and I wish you good luck.

Antoiine.



__________________
Jugez un homme par ses questions plutôt que par ses réponses


Member

Posts: 16
Date: Jul 20, 2012
RE: Are there any risks associated with delegating certain account management in Active Directory to contractors?
Permalink  
 


Antoine,

Thanks much for sharing your thoughts in this regard.

As of now, we're thinking about delegating the top few most requested account management operations - i.e. account creations, password resets, account de-activations and account re-activations

In light of what you shared, we've started thinking about how to best delegate these operations in a way that we can try to know exactly whom we're delegating these operations to, and exactly who can perform these operations. 

I must admit that we've come to find that while its easy to precisely delegate authority, its not as easy to precisely find out who is delegated what authority. For now, we're banking on the fact that no one will change our delegations and that they will thus continue to be as implemented.

We do however worry about another admin changing the delegations or changing the group memberships we're using to make these delegations. (The second one is more concerning since the management of those groups is not in our hands, but in fact is in the contractor's hands.)

Would've been nice if Active Directory could help us find out exactly who's delegated what access just as easy it makes it to delegate access.

Anyway, thanks for your help and your perspectives. They did help us make some enhancements to our approach.

Kindest wishes,

John



__________________
Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me