RE: Controlling Admin Access
From: Evan Mann (emann_at_pinnaclefinancial.com)
Date: 02/02/04
- Previous message: Michael Cox: "Controlling Admin Access"
- Maybe in reply to: Michael Cox: "Controlling Admin Access"
- Next in thread: Harlan Carvey: "Re: Controlling Admin Access"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 2 Feb 2004 11:38:22 -0500 To: "Michael Cox" <mscox42@yahoo.com>
You can remove the admin shares or modify security policy so that access
from the network is restricted to only the executives, DCs, etc. Modify
security policy to only let that particular executive login locally and
that should take care of a domain admin logging in locally and accessing
files.
You will still have the ability for a domain admin to reset the password
and login as the executive themeslves. I don't think there is any
foolproof way. I recall convos in the past coming up on this in the
past and there is always the issue of trust and the need to have someone
in IT to have unrestricted access to all computers for one reason or
another. What do you do if the executive leaves and all their files are
in encrypted via a password no one knows?
-----Original Message-----
From: Michael Cox [mailto:mscox42@yahoo.com]
Sent: Friday, January 30, 2004 2:56 PM
To: focus-ms@securityfocus.com
Subject: Controlling Admin Access
I'd like to solicit the group's input on the following.
Domain administrators, by definition, are going to have complete access
to member computers.
Is anyone doing anything to mitigate the potential risks involved with
access to, say, an executive's computer which could have very sensitive
data on it (mergers and acquisitions, for example)?
One obvious answer is encryption, but I'm curious what is available in
the Windows world as I'm not as familiar with that.
Even if something like object level auditing was enabled and the logs
sent to a remote host, couldn't the admin, as a first step, disable this
logging?
Please answer both 1) what is possible, and 2) what is your organization
or other organizations you know of doing about this (if anything).
Many thanks in advance!
Michael
__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
http://webhosting.yahoo.com/ps/sb/
------------------------------------------------------------------------
--- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- Previous message: Michael Cox: "Controlling Admin Access"
- Maybe in reply to: Michael Cox: "Controlling Admin Access"
- Next in thread: Harlan Carvey: "Re: Controlling Admin Access"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
