permissions assigned/restricted with cyber security personnel

Question

I am interested to learn if you have any specific policies in your companies about what permissions you can or cannot grant to cyber security professionals? I have read some companies actually reduce the permissions/roles etc granted to cyber security management to help enforce the concepts of ‘separation of duties’ (so independence from certain functions/protect against conflicts of interest), but in practice I wondered how commonplace this was and what specifically you keep away from cyber security staff in terms of AD permissions. For example do your cyber security professionals get domain admin or other privileged roles in your AD, or do you have to tactically remove certain privileges from their accounts (and if so which/why)? It may be easier to describe any specific actions/duties/support/troubleshooting that you don't allow the cyber security employees to perform as opposed to specific roles etc.

Answer 1

Hi @crib bar

They don't need domain admin privilege. You should give them least privilege based on their needs like others administrators in your team.

Domain admins privilege is required only for admin who need performing some action like DC promo.

I invite your to take a look at this link : Implementing Least-Privilege Administrative Models

---

Please don't forget to accept helpful answer