S 2.411 Separation of the administration of services and data of an Active Directory

Initiation responsibility: Head of IT

Implementation responsibility: Administrator

The administrative tasks to be performed for Windows server operating systems may basically be divided between the "Service Administration" and "Data Administration" roles, with each role having different areas of responsibility.

Service administration refers to the administration of the Active Directory service itself. Service administrators manage the domain controllers by installing updates at the operating system level and configuring the Active Directory, for example by specifying directory-wide settings such as trust relationships or the replication architecture.

The administration of the data in the Active Directory and/or on the member computers in the overall Active Directory structure should be performed by the data administrators. The data administrators should not be allowed to make any changes to the Active Directory service itself, for example changes to the replication of the directory service. Access control lists (ACLs) should be used to limit the authorisations to individual areas to the greatest extent possible.

Since service administrators require extensive authorisations to administrate the directory service, they should also be able to perform administrative tasks in terms of data administration as well. However, the data administrators should not be able to change the configuration of the Active Directory.

To prevent any misuse of the administrative accounts, the user accounts for the roles stated above must be protected accordingly. The required configuration settings in the Active Directory itself are listed in safeguard S 4.318 Implementation of secure administration methods for Active Directory.

Review questions:

• Is there a division of the administrative users in terms of service and data administration of the Active Directory?