I’m surprised at the number of IT auditors who don’t understand Windows and Active Directory (AD) accounts. I can understand auditors who aren’t familiar with Unix, but Windows? Perhaps too many financial auditors are crossing over from the Far Side.
When auditing servers and application accounts, some auditors don’t know the difference between Active Directory accounts and local Windows server accounts. Some auditors don’t even know that local Windows server accounts exist. Too many auditors forget to review local server accounts when reviewing who the administrators are on a Windows box (I call them the “Windows widows” because they are often ignored).
Another auditor asked whether we should be doing an SOD check on Windows accounts. First, I asked him whether he was referring to AD accounts or local Windows server accounts. He said local server accounts (but only because that’s what the SME said, and the SME didn’t say AD accounts).
My response was, how do you have SOD issues on operating system accounts apart from applications? “I dunno,” he says.
Normally, SOD issues arise on OS accounts when 1) you want SOD between OS administrators and application adminstrators and 2) when applications assign their permissions directly to local server accounts. In both cases, an application is involved. In the latter case, it’s the permissions assigned through the application that usually create the conflicts, not OS permissions.
The same applies to AD accounts.
As a friend of mine used to say, “If you have SOD issues, you just need to fertilize more frequently.”