Some may fi nd this to be a paranoid attitude. However, the entire reason that we, as
security professionals, have jobs, and that Microsoft is bundling a suite of security products
together is that it helps to be paranoid in this industry. In fact, least privilege and separation
of duties are far from requirements of a paranoid data owner. They are security
fundamentals as recognized by the National Institute of Standards and Technology (NIST)
in their security-related publications, the International Information Systems Security
Certifi cations Consortium, and numerous best-practice whitepapers. Perhaps the primary
reason for relying on these principles is that insiders are still the number one threat that
organizations face.
386 Chapter 11 ??? Confi guring Microsoft Internet Security and Acceleration Server 2006
For small to mid-sized organizations where fewer than a dozen IT personnel
control the infrastructure, and must be able to cover for each other on various tasks,
this separation of duties may not be feasible. However, for numerous enterprises with
multiple sites, thousands of nodes, and well-defi ned roles within the IT group, separation
of duties and least privilege are the norm.
This point aside, the argument Thomas Shinder has provided for making your ISA
Servers domain members is a valid one. You may fi nd it necessary to fi x the issue of
having the Domain Admins group with local Administrators privileges though depending
on the expertise of the people in your organization, and the need to provide technical
controls providing this separation of duties.
Pages:
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382