2

Best practices would dictate that domain admins should not be logged into as such for daily tasks.

Ideally the user would have two accounts; Their "daily" account and their domain admin account.

How can one assure (through a technical control) that Bob doesn't use the same password for his domain admin account that he does for his daily account?

For this to work, I would assume there would need to be the ability to tie ownership of the 2 accounts to a specific entity and enforce password uniqueness between those two accounts and those two accounts only.

Otherwise, people could determine that someone else is using the same password as them if uniqueness was forced across all accounts.

k1DBLITZ
  • 3,933
  • 14
  • 20

2 Answers2

2

Forcing unique passwords for both domain admin and Daily account would simply do people so they use like "MyP@ssw0rd1" for their Daily and "MyP@ssw0rd2" for domain admin.

That would do the passwords easly guessable anyways, knowing the Daily password would make it easier for an attacker to deduce the domain password out of this.

The risk you want to protect against, is if malicious software or a malicious user could access the domain admin account, by knowing the password of the Daily account.

To protect against this I would suggest using a 2FA token solution with OTP tokens. Either time synced or event synced. Or even a Yubikey. The good with code-based OTP tokens or yubikey, is that they can be used in legacy password systems by simply replacing the password validation module with one that can validate a code consisting both of a static password and a OTP. 2FA is then only enabled for domain admin, which means the token can be securely locked away in a safe while its not used.

Another solution is to enforce a 2 person access rule. Simple, you have 2 domain administrators. One domain administrator a password half he knows without the other one looking, then the other domain administrator types Another half that he knows, without administrator 1 looking. Then both persons must come in unison to access the domain administrator account, which both increases traceability but also security since you would need to know both password halves so even if both administrator set their halves to their Daily password, security is not compromised.

sebastian nielsen
  • 8,779
  • 1
  • 19
  • 33
1

I am assuming we are discussing Windows Active Directory within a domain.

As far as I know, I do not believe it is possible to enforce unique passwords between two separate accounts related to the same end-user using standard methods of password implementation.

You CAN, however, use a third-party software to manage administrator accounts and change the password to a suitably difficult random-generation. (This doesn't keep them from changing it to whatever they want later, since they are domain administrators. . . but it works really well for local administrators!)

Desthro
  • 1,007
  • 5
  • 5