Many people (particularly non-technical people) believe that the biggest security issues stem from external sources. Certainly anyone who has watched the news lately and seen companies targeted for their credit card information would agree. TV and Movies are other great sources of incredibly entertaining (and impossible) attacks against all sorts of companies and facilities.
While external threats are always a huge cause for concern, IT people and security professionals know that the majority of data breaches are from internal threats. If I can get inside of your network or worse gain physical access to your equipment, there is little you can do to prevent me from gaining access and tampering, especially if I already have elevated privileges. However, most security professionals fear the disgruntled workers like Snowden who may steal and/or damage our data maliciously. Most don’t think about another attack vector, the accidental or lazy Administrator.
I have seen admins become frustrated with a user’s inability to access documents or software and just give them local admin access after working on the issue for 3 minutes or less. Worse yet, I know of one admin that would actually give users Domain Admin rights and in one instance, even the Domain Administrator password. In that company they had about 200 employees and it turned out that about 70 of them could be a part of the Domain Admins group at any given time. The other admins would stumble across this and tear them out but the users would always reappear in the Domain Admins group like a plague. Isn’t it amazing that some system administrators resolve users’ access issues by making them Domain Admins?
One Admin had a problem with users logging into Terminal services to access the company’s ERP system and occasionally shutdown the server accidentally rather than logging off. Instead of preventing this through a local policy on this server (or a targeted Group Policy against that group of servers), he decided to add this change to the default domain policy. This, of course, prohibited everyone from shutting down their local workstations. The resolution to this disaster was to go through and add 80% of the company to the local admin groups so they were able to shut down their machines. The admin made this change on each individual machine as the users called to complain. I think you would be hard pressed to find a more convoluted and painful solution to the initial problem than this one.
As incredible as it sounds the above are all true stories. This is just another reason to keep track of changes to your critical groups, changes made by the Domain Admin account and any unexpected changes to GPO’s for the sake of proper Active Directory auditing. While I hope your admins are far better than this, everyone makes mistakes and even the hardest worker feels lazy on occasion.