RE: Controlling Admin Access

From: marco2 (marco2_at_neovalens.com)
Date: 02/03/04

  • Next message: Nate: "Re: MS 2000 DUN Connection Name issue"
    Date: Tue, 3 Feb 2004 11:27:03 +0100
    To: "Michael Cox" <mscox42@yahoo.com>, <focus-ms@securityfocus.com>
    
    

    Michael

    >>Even if something like object level auditing was enabled and the logs
    sent to a remote host, couldn't the admin, as a first step, disable this
    logging?<<

    AFAIK disabling auditing, as well as deleting any audit entry, generates
    an event: whoever does it will have to explain why.

    Marco
    www.neovalens.com

    -----Original Message-----
    From: Michael Cox [mailto:mscox42@yahoo.com]
    Sent: Friday, January 30, 2004 8:56 PM
    To: focus-ms@securityfocus.com
    Subject: Controlling Admin Access

    I'd like to solicit the group's input on the following.

    Domain administrators, by definition, are going to have complete access
    to member computers.

    Is anyone doing anything to mitigate the potential risks involved with
    access to, say, an executive's computer which could have very sensitive
    data on it (mergers and acquisitions, for example)?

    One obvious answer is encryption, but I'm curious what is available in
    the Windows world as I'm not as familiar with that.

    Even if something like object level auditing was enabled and the logs
    sent to a remote host, couldn't the admin, as a first step, disable this
    logging?

    Please answer both 1) what is possible, and 2) what is your organization
    or other organizations you know of doing about this (if anything).

    Many thanks in advance!

    Michael

    __________________________________
    Do you Yahoo!?
    Yahoo! SiteBuilder - Free web site building tool. Try it!
    http://webhosting.yahoo.com/ps/sb/

    ------------------------------------------------------------------------

    ---
    ------------------------------------------------------------------------
    ---
    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    

  • Next message: Nate: "Re: MS 2000 DUN Connection Name issue"