Multiple Domain Admins are Unnecessary
Domain admins and global admins have carte blanche for on-premises and Office365/Azure systems, respectively. After all, these are the people that work in the trenches and must manage these internal systems, so it only makes sense. Or does it?
Having global and domain admins with unlimited access makes these accounts incredibly powerful, and with that power, comes a huge risk. Hackers are looking for ways to infiltrate a system to do the most damage possible. By targeting these admins, they have several openings to compromise a network. Although there is some need for the functions provided by these accounts, having these roles persistently assigned should not be best practice.
Best practice would be for businesses to not use global admins or domain admins within their domains. When they need to utilize the powers of these roles, they temporarily activate them. This reduces the attack surface of the domain and keeps them better protected.
Additionally, if a user needs administrative access on their domain, they do not necessarily need a domain admin/global admin account. There are a variety of sub-roles that can be utilized and assigned to accomplish many of the needed tasks.
Domain admin privileges comes with great responsibility and while holding the keys to your kingdom, you can inadvertently give access to a hacker, who in turn can wipe out all systems joined to the domain and gain access to confidential systems and data. This is a big risk for a company and one that can easily put you out of business.
2W Tech is a technology service provider and Microsoft Gold Partner. Give us a call today to discuss with our security experts what domain and global admin privileges your business needs activated and what the alternatives could be to ensure the safety of your organization and domain security.