RE: software to control domain administrators

LordInfidel_at_directionweb.com
Date: 05/06/05

  • Next message: Mike: "RE: Auto Entries into hosts file" 
    Date: Fri, 6 May 2005 12:17:27 -0400
To: "Diego Teijeiro Ruiz" <dteijeiro@azertia.com>, <security-basics@securityfocus.com>

    One of my co-workers pointed out that my response may of have come off
    the wrong way...

    First, Always **Audit Everything**...... I was not advocating 'not
    auditing'.

    Trustworthy Admins already do this with the explicit knowledge that they
    themselves are subject to being audited and that their actions on the
    network will be logged. The point I was attempting to make before is
    that a malicious admin or one that feels threatened has the power to
    reverse that auditing, which the auditing mechanism should reflect
    anyways. But the problem is compounded if the admin has access to the
    logs, then there is nothing stopping them from covering their tracks.

    I apologize if it confused anyone. The overall theme remains the same,
    if you can't explicitly trust the people who are running your network
    then they should not be running it.

    -----Original Message-----
    From: LordInfidel@directionweb.com [mailto:LordInfidel@directionweb.com]

    Sent: Thursday, May 05, 2005 6:02 PM
    To: Diego Teijeiro Ruiz; security-basics@securityfocus.com
    Subject: RE: software to control domain administrators

    Probably a little late, been busy, but I did not see a response yet to
    this.

    (assuming we are talking about NT/AD Domain Admins)

    Honestly, if you are looking for something to audit domain admins, then
    you have bigger problems.

    Domain admins by the very nature of the account type, have complete
    control over the domain, second to only enterprise admins. Nothing you
    install or do will prevent them from removing or modifying it. Even
    restricting them via NTFS permissions or GPO's does nothing since they
    can just take ownership and modify the permissions.

    Keep in mind that spying on a domain admin can have catastrophic effects
    if they feel threatened by it since they can easily mess up an entire
    network.

    Basically, If you can not trust your domain admin(s), then they should
    probably not be a domain admin and removed from that position of trust.

    JMO

    -----Original Message-----
    From: Diego Teijeiro Ruiz [mailto:dteijeiro@azertia.com]
    Sent: Thursday, April 28, 2005 5:51 AM
    To: security-basics@securityfocus.com
    Subject: software to control domain administrators

    Does anyone know any software to control, audit, or restrict access or
    privileges to domain administrators.

    thnx in advance

    DTR

    -----------------------------------------------------------------------
    Este mensaje y los documentos, que en su caso, lleve anexos, pueden
    contener informacion confidencial y atane exclusivamente a las personas
    a las que va dirigido. Cualquier opinion en el contenida, es exclusiva
    de su autor y no representa necesariamente la opinion de AZERTIA. Si
    usted no es el destinatario de este mensaje, considerese advertido de
    que lo ha recibido por error y que cualquier uso, difusion o copia estan
    prohibidos legalmente. Si ha recibido este mensaje por error, le rogamos
    que nos lo comunique por la misma via o al telefono 93 207 55 11 y
    proceda a destruirlo inmediatamente.

    This email is confidential and intended solely for the use of the
    individual to whom it is addressed. Any views or opinions presented are
    solely those of the author and do not necessarily represent those of
    AZERTIA. If you are not the intended recipient, be advised that you have
    received this email in error and that any use, dissemination,
    forwarding, printing, or copying of this email is strictly prohibited.
    If you have received this email in error please notify it to AZERTIA by
    telephone on number +34 93 207 55 11.
    -----------------------------------------------------------------------

  • Next message: Mike: "RE: Auto Entries into hosts file"

    Relevant Pages

    • Re: Security permissions bug or inheritant permissions??
      ... We had four domain admins for the 8 domains in our forest. ... four guys who were Enterprise Admins. ... management and security folks don't fool themselves with a perception of false ... that doesn't mean that everyone should be domain> "gods" - they should heirarchal structure that enforces layered security> levels - even among domain admins. ...
      (microsoft.public.win2000.active_directory)
    • Re: Administrator
      ... Well as far as the SQL DBA point I brought up, part of the reason for that is ... that there is no global SQL Admins domain group anyway but that wasn't done ... because of Sharepoint especially since SQL Server existed before Sharepoint ... > me a choice which I can choose to include domain admins as ...
      (microsoft.public.sharepoint.portalserver)
    • Re: Enable non-admin users to access member servers or client PC
      ... the client machines they probably will require to be local admins (Not ... In order to modify server folder permissions the group needs to be ... groups like Domain Admins, Administrators, etc. ...
      (microsoft.public.windows.server.active_directory)
    • Re: Logon difference in Workgroup and domain
      ... two admins create users with same name and password on their PC, ... Local administrator VS domain administrator ... Domain Admins since they are part of the Administrator ... But on the local machine, one machine at a time, the power is the same. ...
      (microsoft.public.windows.server.active_directory)
    • Re: Administrator rights to folder
      ... There's pretty good documentation about how auditing works. ... >> If you don't trust them at all they probably shouldn't be admins. ... >>> They can hide stuff if they use encryption. ... >>> In order to prevent casual recovery in domain environment, ...
      (microsoft.public.windows.server.security)