I've said it before: Every Fortune 500 company is compromised by APTs (advanced persistent threats). In fact, you'd be hard-pressed to find a single computer security expert who would argue differently.
But the experts, including me, could well be wrong. I recently encountered one company that's a classic exception to the rule.
[ Roger A. Grimes maintains you don't need a firewall. Do you agree? Let him know. | Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from InfoWorld's expert contributors in InfoWorld's "Malware Deep Dive" PDF guide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
How did this organization do it? It has no admins in the conventional sense -- nada. Zero. Null set.
By this, I mean the company has no default members in any elevated group: no enterprise admins, domain admins, schema admins, power users, or administrators. All "administrators" are delegated specific rights and permissions to the Active Directory objects they need to access and only for what they need to do. It's least privilege in action!
In the rare instance someone needs to belong to an elevated group, that person must fill out a change control form days ahead of time and get approval -- at which point he or she is added for a specific period in order to perform a specific task. All relevant IT employees are notified.
I've talked about reducing admins to the bare minimum many times in the past, but what impressed me even more is, in this company's case, all the delegation is accomplished using built-in Active Directory tools. Most other companies I know doing heavy delegation use third-party vendor tools, like Quest ActiveRoles Server. But the company in question has been using built-in Windows delegation tools exclusively.
They create groups for each task -- from changing passwords to managing servers -- according to region or organizational unit (for example, GGrp_PrintAdmins_Austin or UGrp_PasswordChanges_EMEA). Then they assign the correct users to each group/task to allow them to perform their jobs. But no one is added as a permanent member to any elevated group. The groups are empty most of the time.