Ideally, you want to make sure that the person who troubleshoots the desktop systems doesn't have the same privileges as the person who manages the servers, the switches, the routers or the firewalls. In most cases, it isn't feasible unless you have a very large staff among whom you can divvy up the myriad duties.

Taking action

Turning to separation of duties, I first addressed our use of the administrator account. Before, staffers had permission to log into a server or to remotely administer a desktop using the administrator log-in.

Now, each person must use his own account with administrative privileges. This doesn't change the level of privileges held by each staffer, but it does create an audit trail that specifically names the person who owns the account used, rather than providing a generic log-in name.

Second, the senior systems administrator reset the administrator password, wrote it down, locked it up and gave a key to only one other person. On pain of termination, the password is not to be given out. Of course, this could be a problem if any system accounts were running under the administrator account, since each of those accounts would have to have its password reset as well. It's a poor practice to bring up operating system services under an administrator account, but it happens all the time. A better practice is to always create special system accounts with appropriate permissions for particular applications and services.