RE: Subdomain security

From: Renouf, Phil (Phil.Renouf_at_tdsecurities.com)
Date: 12/17/04

Next message: Jordan Wiseman: "RE: iisadmpwd/UPN"

Previous message: Renouf, Phil: "RE: Subdomain security"
Maybe in reply to: Scott Mulcahy: "Subdomain security"
Next in thread: Wim_Remes_at_msp.be: "RE: Subdomain security"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 17 Dec 2004 13:13:44 -0500
To: "Scott Mulcahy" <scottcm-secfocus@hotmail.com>, <focus-ms@securityfocus.com>

> I'm fairly certain that an enterprise admin can get admin privs
anywhere in the forest.

Not to mention that as a Domain Admin it is very easy for someone to get
themselves enterprise admin rights. One important thing to monitor is
changes to the group membership of the major admin groups (Enterprise,
Schema, Domain etc.). I know that MOM does this pretty well, but I am
sure other monitoring tools offer that as an option.

Phil

---------------------------------------------------------------------------
---------------------------------------------------------------------------

Next message: Jordan Wiseman: "RE: iisadmpwd/UPN"

Previous message: Renouf, Phil: "RE: Subdomain security"
Maybe in reply to: Scott Mulcahy: "Subdomain security"
Next in thread: Wim_Remes_at_msp.be: "RE: Subdomain security"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: AD design question
... I may be in the minority, but I have never seen the value of the empty root domain, except to solve political issues or for VARs and consultants to sell more hardware and server licenses. ... access resources in other forest ... - empty domain model would not "secure" the enterprise admin ... enterprise admin group without physical access to the servers? ...
(microsoft.public.windows.server.active_directory)
Re: AD design question
... I may be in the minority, but I have never seen the value of the empty root domain, except to solve political issues or for VARs and consultants to sell more hardware and server licenses. ... access resources in other forest ... - empty domain model would not "secure" the enterprise admin ... enterprise admin group without physical access to the servers? ...
(microsoft.public.windows.server.active_directory)
Re: AD design question
... access resources in other forest ... - empty domain model would not "secure" the enterprise admin ... enterprise admin group without physical access to the servers? ... With the Empty Root model the enterprise account is in it's own ...
(microsoft.public.windows.server.active_directory)
Re: AD design question
... Windows Server MVP - Directory Services ... access resources in other forest ... - empty domain model would not "secure" the enterprise admin ... enterprise admin group without physical access to the servers? ...
(microsoft.public.windows.server.active_directory)
RE: Subdomain security
... the place I start is with a new Forest. ... themselves Enterprise Admin privlidges very easily. ... you were correct when saying that the only true security boundary ...
(Focus-Microsoft)