permissions assigned/restricted with cyber security personnel

crib bar 781 Reputation points
2024-01-29T08:08:45.41+00:00

I am interested to learn if you have any specific policies in your companies about what permissions you can or cannot grant to cyber security professionals? I have read some companies actually reduce the permissions/roles etc granted to cyber security management to help enforce the concepts of ‘separation of duties’ (so independence from certain functions/protect against conflicts of interest), but in practice I wondered how commonplace this was and what specifically you keep away from cyber security staff in terms of AD permissions. For example do your cyber security professionals get domain admin or other privileged roles in your AD, or do you have to tactically remove certain privileges from their accounts (and if so which/why)? It may be easier to describe any specific actions/duties/support/troubleshooting that you don't allow the cyber security employees to perform as opposed to specific roles etc.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,155 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,775 questions
Microsoft Intune Security
Microsoft Intune Security
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
371 questions
Microsoft Entra
0 comments
Accepted answer
  1. Thameur-BOURBITA 32,621 Reputation points
    2024-01-29T08:50:55.3766667+00:00

    Hi @crib bar

    They don't need domain admin privilege. You should give them least privilege based on their needs like others administrators in your team.

    Domain admins privilege is required only for admin who need performing some action like DC promo.

    I invite your to take a look at this link : Implementing Least-Privilege Administrative Models

    Please don't forget to accept helpful answer

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest