Using Role-based Administration for Optimal Delegation

Previous page
Table of content
Next page

When administrative functions are distributed or delegated to different groups or users, it helps to map out this distribution by first identifying those key responsibilities, and then to organize them into principal roles. This section will outline high-level IT administrative roles based on industry best practices. The following sections will detail how Windows Server 2003 can be used to delegate administrative control over the various IT functions.

Some of the roles outlined in this section can be combined depending on the size, structure, and service level agreements of the given IT organization. Small companies might have only one individual responsible for all administrative roles, whereas large companies might have several individuals responsible for a single role.

The Operations Manager

The Operations Manager is responsible for the overall design of IT systems administration across the scope of the entire computing environment. Basically this is the top role that determines how administration will be distributed based on the size, architectural layout, geography, security requirements, and service level agreements of the company. The Operations Manager coordinates the efforts of all the other administrative roles.

The Security Administrator

Security administration is an important role in any company's IT organization. An information system with a weak security foundation will inevitably experience a security breach. This administrative role covers many areas of IT administration. The key responsibility of the security administrator is to ensure the following:

  • Data confidentiality. Data internal to the company should only be accessible to users who have authorization.

  • Data integrity. The data available to authorized users should be accurate and free from tampering.

  • Data availability. Users authorized to view data should be able to view it when they need it.

The security administration role requires delegated rights and permissions in order to implement, manage, and audit security controls and policies. This role also requires the administrative control to respond to security events.

The Network Administrator

The network administration role is concerned with providing a reliable and consistent network infrastructure. The network infrastructure should meet or exceed service level agreements while at the same time optimize the company's assets. In addition to being responsible for network hardware configurations and performance, this role is often also responsible for network services such as DNS and DHCP.

When Active Directory is installed, Windows Server 2003 allows the responsibilities of the network administrative role to be further distributed through the use of built-in user groups. Though you can create your own groups for delegating rights and permissions, the following built-in groups can expedite the delegation of administrative control over the some network administrator functions:

  • Network Configuration Operators. This group has the right to make TCP/IP setting changes on Domain Controllers within the domain.

  • DNSAdmins. Installed with the DNS service, members of this group have administrative access to the DNS Server service.

  • DCHP Administrators. This group is created when DHCP is installed on a server. Members of this group can administer all DCHP scopes configured on the server.

BEST PRACTICE: Distributing Administrative Roles

It is best practice to distribute the role of the network administrator and the security administrator of the network to different individuals. The security administrator should have access to view and delete logs, as well as be authoritative over all modifications or changes to high-level security rights on the network.

By making the network administrator also the security administrator, there exists the potential for the network administrator to access sensitive information and then delete the logs that track the changes.

Although the network administrator might not have the intent to inappropriately access sensitive information, the fact that the network administrator could also change security privileges creates the potential for the network administrator to be blamed for security breaches. To minimize this risk, by simply providing another individual log deletion privileges, the network administrator can still complete all administrative tasks , and can limit her risk of being the target for unmanaged security information access and breeches.


The Directory Service Administrator

A directory service enables users and applications to find network resources such as users, computers, services, and other information on the network. The directory service administration role is primarily concerned with the operation, management, and support of the enterprise directory.

The directory service administrator must have rights and permissions to distribute and replicate a directory across a network to provide increased performance and redundancy. It must also be able to enforce security to keep information safe from intruders.

The delegation of administering the Active Directory service in Windows Server 2003 is best performed by using Organizational Units (OUs) and the Delegation of Control Wizard discussed in the next section of this chapter.


Previous page
Table of content
Next page
Microsoft Windows Server 2003 Insider Solutions
Microsoft Windows Server 2003 Insider Solutions
ISBN: 0672326094
EAN: 2147483647
Year: 2003
Pages: 325
Authors: Rand Morimoto, Andrew Abbate, Eric Kovach, Ed Roberts
BUY ON AMAZON
Inside Network Security Assessment: Guarding Your IT Infrastructure
Certified Ethical Hacker Exam Prep
SQL Tips & Techniques (Miscellaneous)
A Practitioners Guide to Software Test Design
Introducing Microsoft ASP.NET AJAX (Pro - Developer)
Pocket Guide to the National Electrical Code(R), 2005 Edition (8th Edition)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy