RE: software to control domain administrators

LordInfidel_at_directionweb.com
Date: 05/06/05

  • Next message: Kelly Martin: "SF new column announcement: Live CD Paradise" 
    Date: Thu, 5 May 2005 18:02:05 -0400
To: "Diego Teijeiro Ruiz" <dteijeiro@azertia.com>, <security-basics@securityfocus.com>

    Probably a little late, been busy, but I did not see a response yet to
    this.

    (assuming we are talking about NT/AD Domain Admins)

    Honestly, if you are looking for something to audit domain admins, then
    you have bigger problems.

    Domain admins by the very nature of the account type, have complete
    control over the domain, second to only enterprise admins. Nothing you
    install or do will prevent them from removing or modifying it. Even
    restricting them via NTFS permissions or GPO's does nothing since they
    can just take ownership and modify the permissions.

    Keep in mind that spying on a domain admin can have catastrophic effects
    if they feel threatened by it since they can easily mess up an entire
    network.

    Basically, If you can not trust your domain admin(s), then they should
    probably not be a domain admin and removed from that position of trust.

    JMO

    -----Original Message-----
    From: Diego Teijeiro Ruiz [mailto:dteijeiro@azertia.com]
    Sent: Thursday, April 28, 2005 5:51 AM
    To: security-basics@securityfocus.com
    Subject: software to control domain administrators

    Does anyone know any software to control, audit, or restrict access or
    privileges to domain administrators.

    thnx in advance

    DTR

    -----------------------------------------------------------------------
    Este mensaje y los documentos, que en su caso, lleve anexos, pueden
    contener informacion confidencial y atane exclusivamente a las personas
    a las que va dirigido. Cualquier opinion en el contenida, es exclusiva
    de su autor y no representa necesariamente la opinion de AZERTIA. Si
    usted no es el destinatario de este mensaje, considerese advertido de
    que lo ha recibido por error y que cualquier uso, difusion o copia estan
    prohibidos legalmente. Si ha recibido este mensaje por error, le rogamos
    que nos lo comunique por la misma via o al telefono 93 207 55 11 y
    proceda a destruirlo inmediatamente.

    This email is confidential and intended solely for the use of the
    individual to whom it is addressed. Any views or opinions presented are
    solely those of the author and do not necessarily represent those of
    AZERTIA. If you are not the intended recipient, be advised that you have
    received this email in error and that any use, dissemination,
    forwarding, printing, or copying of this email is strictly prohibited.
    If you have received this email in error please notify it to AZERTIA by
    telephone on number +34 93 207 55 11.
    -----------------------------------------------------------------------

  • Next message: Kelly Martin: "SF new column announcement: Live CD Paradise"