One of the difficult areas of security administration is making sure each administrator and operator has no more power than they need for their day-to-day duties, and that the more powerful roles are held by only a few trusted individuals. In my experience this is one of the most neglected aspects of overall system security largely because it just takes a lot of work to sort administrative duties out. Members of the local "Administrators" group, which we call "full administrators," are all-powerful. Some administrators consistently try to curtail the powers granted these administrators, but thereís little hope and little point. A far better strategy is to grant this power to few individuals, try to assure they use it sparingly, and dole out the great majority of administrative duties to less-than-all-powerful groups, most notably the Server, Account, and Backup Operators on domain controllers, and Power Users on workstations. Itís surprising how many sites grant full administrative power to users who could and should make do with less. You should also give considerable thought to creating certain network-wide administrative groups. Windows NT presents a simple metaphor where you place domain-wide full administrators in a predefined domain group called the "Domain Admins." This group is in turn included by default in the local Administrators group on each computer in the domain (although you can change this strategy if you wish). The Users and Guests groups follow a similar strategy, although they are not administrative. You can set up similar groups to ease the work and increase the simplicity of your domain-wide. For example, a Domain Power Users group include in the Power Users group of each workstation lets you easily allow universal Power User capabilities on workstations. (This grants no power on Domain Controllers, which is one of its features.) The main reason for this concern about minimizing administrative access is that whenever an administrator runs an application, the application gains the full power of that administrator that it can use in any manner it likes even unseen by the administrator. If a powerful administrator ever accidentally runs a malicious program (an easy mistake to make) your security is out the proverbial window. We revisit this threat below.