Some of the steps to consider will sound familiar, but many probably fail to use them for "simplicity" sake. Make sure Administrators are using separate admin accounts and not just adding admin to their regular user account. This requires an additional step when performing those admin type functions, but segregates the roles (we are dual personality all being admins and at the same time, some other lower sort of user). Make sure each network admin has their own dedicated accounts, so there are not shared admin accounts (beat all who share this account informally). On a regular basis check systems for new accounts that are admin equivalent and determine their legitimacy. The new admin account may indicate a backdoor account put there by the disgruntled or fearful employee. While centralization of administration is a good concept, remember that there must be more than one person involved in the process. The all knowing, all powerful single admin becomes a nightmare at time of separation, whether voluntary or involuntary.
Another method used is the idea of a superuser, or admin account being used only to set up the machine, and establish secondary admin roles with only the privileges needed for the functions. You could take that superuser account and require a multi part password, then requiring more than person to access, thereby needing some collusion if unauthorized actions are to be taken. The issue becomes one of practicality. You can tighten these controls to the point that it adds excessive overhead to normal operations.
This was first published in July 2003