Re: [Full-disclosure] need help in managing administrators

From: Valdis.Kletnieks@xxxxxx
Date: Sun, 02 Dec 2007 14:22:54 -0500

On Sun, 02 Dec 2007 09:42:26 GMT, happy nino said:

Hi All,i've a problem in my organization that we have several domain admins,
we are in the process of removing most of them but i need to have a person
only authorized to installnew software to users' computers but without having
access to other parts of the users machines, is this possible ?

What exactly are you trying to accomplish, given that if they are allowed to
install software, they are allowed to install software that will then at a
later point in time give them access to other parts of the machine? There's no
"don't allow the installation of trojaned software" flag. Also, if you're
backing up the machines (you *do* back them up, right?), your admin can
probably just restore the files from backup into some other directory...

Have you looked at using something like EFS or BitLocker *and turn off key
escrow* so the admin's keys don't work? Of course, this makes backups
"interesting", and if you have an Internal Audit group, they may have a cow
about non-escrowed keys if they have a clue.

It would probably be easier to answer this one if you were able to say
specifically what "other parts" you didn't want the admins to be getting at,
and why you can't just use "if you abuse your privs, you're fired and we're
calling the local DA" to keep them in line (this works for most places,
if you pay your admins a fair wage, but of course some particularly high-value
targets invite high-risk attacks).

Attachment: pgp9VOfF95lyz.pgp
Description: PGP signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] need help in managing administrators
  - From: James Matthews

References:
- [Full-disclosure] DC4420 - London DEFCON chapter Christmas Party - 11th December
  - From: Major Malfunction
- [Full-disclosure] need help in managing administrators
  - From: happy nino

Prev by Date: Re: [Full-disclosure] authentic hackers still do it for the love ... (was: Hell Camp: It never pays enough)
Next by Date: Re: [Full-disclosure] authentic hackers still do it for the love ... (was: Hell Camp: It never pays enough)
Previous by thread: Re: [Full-disclosure] need help in managing administrators
Next by thread: Re: [Full-disclosure] need help in managing administrators
Index(es):
- Date
- Thread

Relevant Pages

Re: [Full-disclosure] need help in managing administrators
... Why are you removing the admins? ... install software, they are allowed to install software that will then at a ... about non-escrowed keys if they have a clue. ...
(Full-Disclosure)
Re: Filesharing disabled. How to copy files across machines ?
... cannot install software ... What are the options in connecting up 2 machines and copying files ... Network the two computers, and just copy the files over the ...
(microsoft.public.windowsxp.general)
Re: Users to install software
... > I want the people in Admins to be able to install software on the ... Put the IDs from the Admins OU into a global group. ... The scene took on a curious unreality to Jim. ...
(microsoft.public.win2000.advanced_server)
I need your help??
... look into using group policy to install software on all ... users or on all machines no matter who the user is. ...
(microsoft.public.win2000.active_directory)
Re: Cant authenticate in NetInfo Manager
... time we install software? ... without human intervention. ... You have already admitted your AZERTY keyboard does have the # key. ... It has a pair of keys that together produce the correct code.On neither of them is the symbol printed. ...
(comp.sys.mac.system)