Is root access ever OK? Sure, as administrators do have legitimate reasons for such permissions; they may have to configure a server to run applications, for example. But there should be some type of logging or other controls that track what the administrators are doing, if only to provide checks and balances.
So a reasonable approach is to give root access only to those administrators that need to manage a specific application.
What you don't want to do, however, is add a huge amount of administrative overhead to your environment. You may want to look at a tool that manages these user privileges in a granular manner. Cyber-Ark and Cloakware are vendors that provide products for such a situation.
Dig deeper on Active Directory and LDAP Security
Related Q&A from Mike Rothman, Contributor
In the world of security certifications, what is the GISP and how alike is it to the CISSP? In this security management expert response, learn about ...continue reading
Depending on your enterprise, it may or may not be necessary to utilize a QSA. In this security management expert response, learn how to determine ...continue reading
When developing software securely, what role does gap analysis play? In this security management expert response, learn how to implement gap analysis...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.