RE: Controlling Admin Access

From: marco2 (marco2_at_neovalens.com)
Date: 02/03/04

  • Next message: Nate: "Re: MS 2000 DUN Connection Name issue" 
    Date: Tue, 3 Feb 2004 11:27:03 +0100
To: "Michael Cox" <mscox42@yahoo.com>, <focus-ms@securityfocus.com>

    Michael

    >>Even if something like object level auditing was enabled and the logs
    sent to a remote host, couldn't the admin, as a first step, disable this
    logging?<<

    AFAIK disabling auditing, as well as deleting any audit entry, generates
    an event: whoever does it will have to explain why.

    Marco
    www.neovalens.com

    -----Original Message-----
    From: Michael Cox [mailto:mscox42@yahoo.com]
    Sent: Friday, January 30, 2004 8:56 PM
    To: focus-ms@securityfocus.com
    Subject: Controlling Admin Access

    I'd like to solicit the group's input on the following.

    Domain administrators, by definition, are going to have complete access
    to member computers.

    Is anyone doing anything to mitigate the potential risks involved with
    access to, say, an executive's computer which could have very sensitive
    data on it (mergers and acquisitions, for example)?

    One obvious answer is encryption, but I'm curious what is available in
    the Windows world as I'm not as familiar with that.

    Even if something like object level auditing was enabled and the logs
    sent to a remote host, couldn't the admin, as a first step, disable this
    logging?

    Please answer both 1) what is possible, and 2) what is your organization
    or other organizations you know of doing about this (if anything).

    Many thanks in advance!

    Michael

    __________________________________
    Do you Yahoo!?
    Yahoo! SiteBuilder - Free web site building tool. Try it!
    http://webhosting.yahoo.com/ps/sb/

    ------------------------------------------------------------------------ 

    ---
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------
  • Next message: Nate: "Re: MS 2000 DUN Connection Name issue"

    Relevant Pages

    • Re: RDP Sessions not "disconnecting"
      ... You can logon to the Console as Admin and Disconnect instead of logging off and this will leave Admin logged on to Synch Act and will leave 2 more Remote slots open. ... The other choice is to disconnect from a normal session as Admin instead of Logging off and when you connect again you will resume your session. ... server based apps - she also hits it from remote. ...
      (microsoft.public.windows.server.sbs)
    • Re: RDP Sessions not "disconnecting"
      ... You can logon to the Console as Admin and Disconnect instead of logging off and this will leave Admin logged on to Synch Act and will leave 2 more Remote slots open. ...
      (microsoft.public.windows.server.sbs)
    • Re: Administrator Loses Privileges
      ... Are you aware of any admin "inactivity" safeguards built into Windows ... You might want to increase the size of the event logs. ... Logging out and logging back in restores them. ... Windows Server 2000/2003 to automatically lock the admin after a certain ...
      (microsoft.public.windows.server.active_directory)
    • Is this a GPO setting or not?
      ... basically tells them to contact the Network Admin because ... MMC snap-in that I can use to duplicate this setting? ... from logging into certain machines. ...
      (microsoft.public.win2000.group_policy)
    • Re: Limit access to Active Directory Users and Computers
      ... Does anyone know how to limit the users access who have downloaded the Admin ... admin pack on their local machine. ... denied "read" permissions, he was not able to log in because when I removed ... Disabling the user in ADUC is not a way to go as that "disable" ...
      (microsoft.public.windows.server.active_directory)