Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


Oriphix

523 posts

Ultimate Geek


#142906 28-Mar-2014 09:31

Hi All,

I am currently looking at improving and securing our IT service desk access to servers.

I tried to find what other companies currently give access to there service desk however I couldn't find anything.

General requests are resetting passwords, folder permissions, restarting print spoolers, creating new AD users / exchange mailboxes 

Currently the accounts have domain admin so they can do everything.

I would like to remove the following:

- Shutting down / restarting servers
- Installation of programmes

Does anyone know what else I could remove or what other companies have in place currently as a standard?

Thanks.


Create new topic
Steve113
99 posts

Master Geek


  #1015100 29-Mar-2014 16:04
Send private message

Hi Mate,
There are multiple ways to do this. With security permissions\enhancements generally you're best practice is to start with a tight set of permissions and work your way up from there as needed. Personally i would start by removing DA access and look at setting up Active directory groups that are a member of the local server groups you want SD to gain access to.
For example if you setup an AD group called 'SD-Power Users' and make that group a member of the local 'Power Users' group on your servers via policy. Then you can add the service desk accounts as members of this group.
http://technet.microsoft.com/en-us/library/cc785098(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc773320(v=ws.10).aspx

If you then decide that Power Users has shutdown rights or other rights that you want to restrict then you can load up 
Start-->Run-->secpol.msc
Navigate to:
Security Settings\Local Policies\User Rights Assignment
Shut down the system (remove the group from there)
http://technet.microsoft.com/en-us/library/dn221963.aspx


Another way is to setup a matrix like chart of the access level you want to grant vs whats being offered by the default local groups in Windows and fine tune it via 'User Rights Assignment'.
With Active Directory you can look at setting delegate access to Certain AD containers that the service desk can add\remove\move from rather than the entire forest.
With File Server permissions again you can set up multiple AD groups that have restricted NTFS access to the File Server (i.e. only allow access to the root path of profiles)

It all depends on how granular you want to get and to find the 'right' balance between local group rights and User Rights Assignment rights.




Create new topic





News and reviews »

Air New Zealand Starts AI adoption with OpenAI
Posted 24-Jul-2025 16:00


eero Pro 7 Review
Posted 23-Jul-2025 12:07


BeeStation Plus Review
Posted 21-Jul-2025 14:21


eero Unveils New Wi-Fi 7 Products in New Zealand
Posted 21-Jul-2025 00:01


WiZ Introduces HDMI Sync Box and other Light Devices
Posted 20-Jul-2025 17:32


RedShield Enhances DDoS and Bot Attack Protection
Posted 20-Jul-2025 17:26


Seagate Ships 30TB Drives
Posted 17-Jul-2025 11:24


Oclean AirPump A10 Water Flosser Review
Posted 13-Jul-2025 11:05


Samsung Galaxy Z Fold7: Raising the Bar for Smartphones
Posted 10-Jul-2025 02:01


Samsung Galaxy Z Flip7 Brings New Edge-To-Edge FlexWindow
Posted 10-Jul-2025 02:01


Epson Launches New AM-C550Z WorkForce Enterprise printer
Posted 9-Jul-2025 18:22


Samsung Releases Smart Monitor M9
Posted 9-Jul-2025 17:46


Nearly Half of Older Kiwis Still Write their Passwords on Paper
Posted 9-Jul-2025 08:42


D-Link 4G+ Cat6 Wi-Fi 6 DWR-933M Mobile Hotspot Review
Posted 1-Jul-2025 11:34


Oppo A5 Series Launches With New Levels of Durability
Posted 30-Jun-2025 10:15



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.