Two questions that I'd like to consider and possibly come up with an answer to. These questions are in regard to a Windows/Linux domain environment:
1. Is it more secure, yet still easy to administer, to have all client machines under their own control, with a domain administrator role only having the power to patch and virus scan, rather than have a domain administrator have more power than the local administrator?
I think it is more secure to have a network/domain where the domain administrator only has update and user management, while the local administrators have more and complete control over their system. This would prevent the entire domain from being compromised when the domain administrator account becomes compromised.
2. Is it more secure, yet still easy to administer, to have only one user with administrator privileges, rather than have multiple levels of administrator access? One example here is the Windows method of having a domain administrator and an enterprise administrator, in addition to a plethora of other administrators...
With most *nix systems, there is a user assigned to each application or process that has administrative rights over that process, which makes it unnecessary to use root to perform most actions. The root user is only required for actual system administration. Along with this, it is very easy in *nix systems to switch roles and become the root user, or the apache user.
Please post comments.