Passwords of shared accounts should also be changed anytime a member separates employment or changes job duties. Many companies are now requiring two-factor authentication (such as key fobs, smartcards, biometric) for admins. It's a good practice, although it can be expensive to enable for admins only.
I'm also a big fan of creating dedicated admin workstations for domain or enterprise admins. Elevated users should avoid logging onto regular workstations to troubleshoot problems, if possible. You never know what malware (such as a keystroke logger) may be present. One logon could compromise your network in a big way. Having dedicated admin workstations, which are kept superclean and used only for administrative tasks, is a good way to protect sensitive logon credentials. Some companies require that users RDP from "dirty workstations" to clean admin virtual images as a half-way step, but that still doesn't remove the threat of a local key logger.
If an elevated user has to log on to a nondedicated workstation or server, the admin should reboot the computer after completing their task (if at all possible), to remove the elevated credential from memory. If not, someone using pass-the-hash tools could obtain the hashes and re-use them to again elevate access.
I'm also an advocate of third-party software that helps companies manage elevated accounts. I often run into Cyber-Ark's privilege identity manager solutions. It's pretty cool stuff and perfect for managing elevated accounts. Admin accounts can be locked into a digital vault, then protected by granular policies that enforce rules and checkout procedures in order for an elevated account to be used. One of my favorite features is the one-time-use passwords, where the password is changed for each user and occasion. You can also easily enable auditing of who used what accounts when.
In Windows Vista and later, you can create special audit events anytime someone belonging to a predefined group logons. See KB947223 for more details. In a nutshell, you define one or more groups (using their SIDs) into a local registry key (HKLM\System\CurrentControlSet\Control\Lsa\Audit\SpecialGroups); thereafter, Windows will generate a 4964 event ID message when someone belonging to the defined group logs on. This is a great way for pulling out useful information instead of just sifting through every regular logon event.
No matter how you do it, you should probably perform periodic audits to see who is a member of your elevated admin groups. It isn't typical to see the number of members creeping up as time goes on, as "temporary" admins get left and made permanent. You should strive to minimize the number of admin accounts and secure those that are needed.
This story, "How many enterprise admins is too many?," was originally published at InfoWorld.com. Follow the latest developments in security and read more of Roger Grimes's Security Adviser blog at InfoWorld.com.