How to enforce Separation of Duties in a Windows Server environment

Some regulations require organisations to enforce separation of duties. In a Windows server environment this is very hard to achieve. When doing maintenance on a Windows server and logging on to the server, you automatically have access to all applications and resources. There is no way of giving different user groups access to individual application sets. If you have to do maintenance on a domain controller it is even worse. You now have been given the keys to the kingdom.

Here´s an excerpt from Wikipedias definition of Separation of Duties:

In information systems, segregation of duties helps reduce the potential damage from the actions of one person. IS or end-user department should be organized in a way to achieve adequate separation of duties. According to ISACA's Segregation of Duties Control matrix ^[3], some duties should not be combined into one position. This matrix is not an industry standard, just a general guideline suggesting which positions should be separated and which require compensating controls when combined.

Separation of duties should prevent any individual to have access to a single complete system.

With RES Dynamic Desktop Studio, life will become a lot easier. You can make sure users only can access applications tied to their duties, and when they have to perform these duties, an approval process need to take place.

In this demo I show how this could work.

Please visit RES Software for more information about RES Dynamic Desktop Studio.

/Patrik