Re: software to control domain administrators
From: Charles Fraser (fraserc_at_mail.montclair.edu)
Date: 05/09/05
- Previous message: Jason Balicki: "RE: Windows Share Problem"
- In reply to: LordInfidel_at_directionweb.com: "RE: software to control domain administrators"
- Next in thread: Andrew Shore: "RE: software to control domain administrators"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 09 May 2005 12:02:05 -0400 To: LordInfidel@directionweb.com
"If I can't trust my admin he/she shouldn't be one" is an archaic school
of thought. In today's age of compliance and accountability that school
of thought needs to be radically changed. There needs to be checks and
balances. Which is why security has to be separate from operations. More
and more enterprises are following the new school of thought that an
employee has the computer access and permissions that it takes for he or
she to perform their functions no more no less. Full domain and
enterprise administrators are less and less common in favor of dividing
responsibility so administrators can have less rights to perform their
day to day functions. Windows offers runas and sudo capabilities which
we utilize to reduce the number of people who require administrative
access. I advocate a central/separate syslog/event viewer server that
is not in the domain and the administrators have no access to
whatsoever. Now if someone is trying to cover their tracks they can't
because the logs are duplicated in real time to the central server. It
should be stressed it is not a matter of trust but a matter of checks
and balances.
Charlie
LordInfidel@directionweb.com wrote:
>One of my co-workers pointed out that my response may of have come off
>the wrong way...
>
>First, Always **Audit Everything**...... I was not advocating 'not
>auditing'.
>
>Trustworthy Admins already do this with the explicit knowledge that they
>themselves are subject to being audited and that their actions on the
>network will be logged. The point I was attempting to make before is
>that a malicious admin or one that feels threatened has the power to
>reverse that auditing, which the auditing mechanism should reflect
>anyways. But the problem is compounded if the admin has access to the
>logs, then there is nothing stopping them from covering their tracks.
>
>I apologize if it confused anyone. The overall theme remains the same,
>if you can't explicitly trust the people who are running your network
>then they should not be running it.
>
>-----Original Message-----
>From: LordInfidel@directionweb.com [mailto:LordInfidel@directionweb.com]
>
>Sent: Thursday, May 05, 2005 6:02 PM
>To: Diego Teijeiro Ruiz; security-basics@securityfocus.com
>Subject: RE: software to control domain administrators
>
>Probably a little late, been busy, but I did not see a response yet to
>this.
>
>(assuming we are talking about NT/AD Domain Admins)
>
>Honestly, if you are looking for something to audit domain admins, then
>you have bigger problems.
>
>Domain admins by the very nature of the account type, have complete
>control over the domain, second to only enterprise admins. Nothing you
>install or do will prevent them from removing or modifying it. Even
>restricting them via NTFS permissions or GPO's does nothing since they
>can just take ownership and modify the permissions.
>
>Keep in mind that spying on a domain admin can have catastrophic effects
>if they feel threatened by it since they can easily mess up an entire
>network.
>
>Basically, If you can not trust your domain admin(s), then they should
>probably not be a domain admin and removed from that position of trust.
>
>JMO
>
>-----Original Message-----
>From: Diego Teijeiro Ruiz [mailto:dteijeiro@azertia.com]
>Sent: Thursday, April 28, 2005 5:51 AM
>To: security-basics@securityfocus.com
>Subject: software to control domain administrators
>
>
>Does anyone know any software to control, audit, or restrict access or
>privileges to domain administrators.
>
>thnx in advance
>
>
>DTR
>
>
>
>-----------------------------------------------------------------------
>Este mensaje y los documentos, que en su caso, lleve anexos, pueden
>contener informacion confidencial y atane exclusivamente a las personas
>a las que va dirigido. Cualquier opinion en el contenida, es exclusiva
>de su autor y no representa necesariamente la opinion de AZERTIA. Si
>usted no es el destinatario de este mensaje, considerese advertido de
>que lo ha recibido por error y que cualquier uso, difusion o copia estan
>prohibidos legalmente. Si ha recibido este mensaje por error, le rogamos
>que nos lo comunique por la misma via o al telefono 93 207 55 11 y
>proceda a destruirlo inmediatamente.
>
>This email is confidential and intended solely for the use of the
>individual to whom it is addressed. Any views or opinions presented are
>solely those of the author and do not necessarily represent those of
>AZERTIA. If you are not the intended recipient, be advised that you have
>received this email in error and that any use, dissemination,
>forwarding, printing, or copying of this email is strictly prohibited.
>If you have received this email in error please notify it to AZERTIA by
>telephone on number +34 93 207 55 11.
>-----------------------------------------------------------------------
>
>
- Previous message: Jason Balicki: "RE: Windows Share Problem"
- In reply to: LordInfidel_at_directionweb.com: "RE: software to control domain administrators"
- Next in thread: Andrew Shore: "RE: software to control domain administrators"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
