AD related separation of duties for high-risk functions

Question

Do any of your general day to day maintenance tasks around AD users/security groups/computers include applying the principles of ‘segregation of duties’? And if so which specific tasks? It is often a requirement to satisfy anti-fraud/cyber security/data protection policies, to have any access/authorization type tasks segregated across 2 or more admins to prevent misuse/fraud, but I wondered in practice if this is something you actually have to adhere to – and if so which types of AD maintenance tasks do you segregate between more than 1 admin. In case its a new concept - segregation of duties is just a basic security principle to purposely spread high-risk tasks/activities across two of more admins/users to reduce the risk of frauds or general mistakes/errors. Its very common in financial systems but the same concepts apply to any IT/Infrastructure app including AD. Its just working out which 'high risk' AD activities require spreading.

Answer 1

Hi @crib bar

The seggregation of tasks and rights of administrative accounts must align with the tiering model. (T0,T1,T2) T0 is the list of the most critical services and identity servers, in case of compression the entire domain will be impacted such as the active directory, certification authority, Entra Connect server, etc.

T1 all application servers (Sharepoint, SQL, etc.) T2 workstation scope This means that you must avoid using the same administrator account to manage two assets that belong to two different third parties. In the same third party, you can further segment the roles and create an administration account for each task, which will strengthen security but will complicate the management of administration accounts. You should also give a minimum privilege for each admin account.

---

Please don't forget to accept helpful answer