We are deploying web applications that require username/password logins. We are also managing the infrastructure that supports the web applications.
I have researched and have been unable to find any resources related to best practices for whether or not those accounts should be part of separate authentication domains.
I'm looking for any documentation that speaks to the risks associated with having the same authentication domain for both client services (web app) and infrastructure management.
The risk I am concerned with is if the client services authentication is hacked that could allow the attacker to gain credentials for an administrator of the infrastructure. From there the attacker could control the entire infrastructure, not just the client service (web app).
If we have two different authentication domains (no shared account information) then this risk is greatly reduced. Is there any best practice documentation that speaks to that?
EDIT The information does not have to be specific to MS AD or LDAP, it's more general about separation of account types/purposes.
