S 2.38 Division of administrator roles
Initiation responsibility: Head of IT, IT Security Officer
Implementation responsibility: Administrator
Many network operating systems offer the option to divide up the administrator role and to assign administrative activities to different users.
Thus, the following administrator roles can be set up, for example under Novell Netware 3.11: Workgroup Manager, User Account Manager, File Server Console Operator, Print Server Operator, Print Queue Operator.
Under Windows NT, defined administrator roles can be created by assigning user rights in a targeted manner to individual users or, even better, to groups. In addition to the group of administrators, groups such as power users (i.e. administrators with restricted rights), backup operators, print operators, server operators as well as reproduction operators must be mentioned in this respect. In addition to this, additional roles can be defined by means of the explicit assignment of user rights (see also S 4.418 Planning the use of Windows Server 2008).
If there are administrator roles for special tasks, they should be used. Especially if several persons have to be entrusted with administrative tasks in large systems, the risk of the outsized power of the administrator roles can be reduced by the corresponding division of tasks so that the administrators cannot carry out any unauthorised or unintentional changes to the system in an uncontrolled manner.
Despite dividing up administrative activities, in most cases the system also automatically opens an account for an administrator that is not subject to any restrictions, i.e. the supervisor. The supervisor password should, if at all, only be known to a small group of people. It must not be known to any of the subadministrators to ensure that they cannot extend their rights in this way. The password must be stored securely (see S 2.22 Escrow of passwords). The supervisor login can be additionally protected by applying the two-person-rule, e.g. by organisational safeguards such as a shared password. Here, the password must have a longer minimum length (12 or more characters). In this respect, it must be ensured that the full minimum length of the password is checked by the system.
Review questions:
- Are there different administrator roles for subtasks?
- If there is an existing supervisor account: Is the supervisor password only known to a minimum group of people?
- If there is an existing supervisor account: Is the supervisor password stored securely?