I'm currently tidying up our Active Directory (AD) and aiming to enhance our security measures. This brought up a question about the best approach for logging in as administrators on non-Windows devices like firewalls and other appliances. I know that using AD users can make management simpler, but considering our smaller IT team, I'm wondering if it's better to have separate admin logins for these devices. Is there a significant security difference between using LDAPS and local accounts? Or is it more about management convenience?
5 Answers
Avoiding local admin accounts on devices can lead to a really risky situation—you could end up locking yourself out. It might be a pain to manage, but keeping local accounts is safer. You could even have fun with naming your admin accounts something quirky!
Using centralized management like LDAP has its benefits, making management easier. As for security, it's a bit of a gray area; there are various factors that can impact the security level of either approach.
I recommend using LDAPS whenever possible, but also have a 'break-glass' local account just in case you need emergency access without relying on the LDAP server.
For optimal device authentication, using certificates allows for mutual authentication and should definitely include MFA. If you want the best security, here's my ranking: SAML > RADSEC > LDAP over TLS > LDAPS > RADIUS > plain LDAP. SAML is the most secure option out there!
For devices like firewalls, routers, and switches, I wouldn't suggest using LDAP directly. Instead, a RADIUS server is typically more appropriate for those.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures