Using migration From Server 2003 to change your administrator account model

Migrating from Server 2003 to Server 2012 R2 gives you many opportunities to change how things are done in your organization. One of the most beneficial changes that you can make is changing your administrator account model.

Unfortunately in many organizations, the administrator account model is to give each administrator a single super highly privileged account. If Oksana is responsible for managing Exchange, SharePoint, and Active Directory, Oksana has a privileged account that has administrator permissions across all of those products. Oksana may or may not have a standard user account that she uses to sign on to her machine on a daily basis, but in terms of performing administrative tasks, Oksana will have a single account with many privileges.

The other option is to have multiple accounts, each with its own privilege silo. That is, an account for managing Exchange, an account for managing SharePoint, and an account for managing Active Directory. While this will inconvenience Oksana as she’ll have to have multiple sets of administrative credentials and use different credentials to perform different tasks, this will make things more secure. Should an account get compromised, then what can be done by that account is limited by the privileges assigned to that account. Rather than everything being at risk, perhaps only the SharePoint deployment is at risk. Sure, that’s not a good thing either, but having a SharePoint deployment compromised is a less worse case scenario than having SharePoint, Exchange, and AD compromised.

When migrating to Server 2012 R2, reconsider how you allocate administrative privileges. Migrating gives you a chance to change things, and maybe an opportunity to move from a less secure model of administration to a more secure model.