RE: software to control domain administrators

From: Bundschuh, Anthony D (ANTHONY.D.BUNDSCHUH_at_saic.com)
Date: 05/10/05

  • Next message: Ed Smith: "Encryption software" 
    To: 'LordInfidel' <LordInfidel@directionweb.com>, Charles Fraser <fraserc@mail.montclair.edu>
Date: Mon, 9 May 2005 15:33:05 -0700

    I have to agree with you. Let's not forget that someone has to configure
    these so-called controls on the admin. If they can configure it, they are
    able to undo it also. Besides, if you did not have someone with that total
    access, what would you do when you need that level of control. I am sure
    that the vendors would be able to help you out, for a small fortune. I have
    heard of Novell being able to come in and get your network back when your
    admin changed the domain admin password when he or she found out that they
    were getting let go, but I heard it would cost tens of thousands of dollars.

    As far as central recording of the audit logs, someone has to have access to
    them, which means they can edit them. It may not be the admin, but
    conspiracies do happen.

    -----Original Message-----
    From: LordInfidel [mailto:LordInfidel@directionweb.com]
    Sent: Monday, May 09, 2005 11:01 AM
    To: Charles Fraser
    Cc: Diego Teijeiro Ruiz; security-basics@securityfocus.com
    Subject: RE: software to control domain administrators

    I agree whole heartedly about checks and balances, but that was not the
    question posed.
     
    The question that was posed was,
     
    "Does anyone know any software to control, audit, or restrict access or
    privileges to domain administrators."

    The "If I can't trust my admin he/she shouldn't be one" is not an archaic
    thought, it is a reality of computing. This is totally different from
    granting a user a higher level of permissions to do their work.
     
    In your case of granting sudo aka for win32, runas access to a user or
    junior admin, that is great, should be done and is a standard in modern
    networked enviorments. But again, we are not talking about limiting that
    persons access, we are talking about "YOUR" access, the domain admin, the
    person who gave the junior admin those rights in the first place.
     
    There is no such beast as a domain admin account without domain admin
    rights, it does not exist. It's like trying to restrict root on *nix. root
    is god over *nix, the same way a domain admin is godlike over windows (i use
    godlike because the juciest account is the all powerful system account)
     
    BTW, Granting a user the necessary rights to do their job with the most
    restrictive set possible is by no means a new school of thought. It is
    quite old.
     
    <snip>
    Full domain and
    enterprise administrators are less and less common in favor of dividing
    responsibility so administrators can have less rights to perform their day
    to day functions.
    </snip>
     
    Well, Someone has to got to be in that position, the enterprise just does
    not manage itself. And that is the person that we are talking about
    restricting. I have a feeling that your definition of an administrator is
    much different then mine. I am talking formal Network Administrators, not
    joe blow end users promoted to a network admin position because they are the
    most computer savvy.

    I will restate my mantra differently, If you can not trust someone to be in
    a position of complete un-adulterated control of your network, then they
    should not be in that position.
     
    Audit, Audit, Audit, Audit.
     
    ________________________________

    From: Charles Fraser [mailto:fraserc@mail.montclair.edu]
    Sent: Mon 5/9/2005 12:02 PM
    To: LordInfidel
    Cc: Diego Teijeiro Ruiz; security-basics@securityfocus.com
    Subject: Re: software to control domain administrators

    "If I can't trust my admin he/she shouldn't be one" is an archaic school of
    thought. In today's age of compliance and accountability that school of
    thought needs to be radically changed. There needs to be checks and
    balances. Which is why security has to be separate from operations. More and
    more enterprises are following the new school of thought that an employee
    has the computer access and permissions that it takes for he or she to
    perform their functions no more no less. Full domain and enterprise
    administrators are less and less common in favor of dividing responsibility
    so administrators can have less rights to perform their day to day
    functions. Windows offers runas and sudo capabilities which we utilize to
    reduce the number of people who require administrative access. I advocate a
    central/separate syslog/event viewer server that is not in the domain and
    the administrators have no access to whatsoever. Now if someone is trying to
    cover their tracks they can't because the logs are duplicated in real time
    to the central server. It should be stressed it is not a matter of trust but
    a matter of checks and balances.

    Charlie

    LordInfidel@directionweb.com wrote:

    >One of my co-workers pointed out that my response may of have come off
    >the wrong way...
    >
    >First, Always **Audit Everything**...... I was not advocating 'not
    >auditing'.
    >
    >Trustworthy Admins already do this with the explicit knowledge that
    >they themselves are subject to being audited and that their actions on
    >the network will be logged. The point I was attempting to make before
    >is that a malicious admin or one that feels threatened has the power to
    >reverse that auditing, which the auditing mechanism should reflect
    >anyways. But the problem is compounded if the admin has access to the
    >logs, then there is nothing stopping them from covering their tracks.
    >
    >I apologize if it confused anyone. The overall theme remains the same,
    >if you can't explicitly trust the people who are running your network
    >then they should not be running it.
    >
    >-----Original Message-----
    >From: LordInfidel@directionweb.com
    >[mailto:LordInfidel@directionweb.com]
    >
    >Sent: Thursday, May 05, 2005 6:02 PM
    >To: Diego Teijeiro Ruiz; security-basics@securityfocus.com
    >Subject: RE: software to control domain administrators
    >
    >Probably a little late, been busy, but I did not see a response yet to
    >this.
    >
    >(assuming we are talking about NT/AD Domain Admins)
    >
    >Honestly, if you are looking for something to audit domain admins, then
    >you have bigger problems.
    >
    >Domain admins by the very nature of the account type, have complete
    >control over the domain, second to only enterprise admins. Nothing you
    >install or do will prevent them from removing or modifying it. Even
    >restricting them via NTFS permissions or GPO's does nothing since they
    >can just take ownership and modify the permissions.
    >
    >Keep in mind that spying on a domain admin can have catastrophic
    >effects if they feel threatened by it since they can easily mess up an
    >entire network.
    >
    >Basically, If you can not trust your domain admin(s), then they should
    >probably not be a domain admin and removed from that position of trust.
    >
    >JMO
    >
    >-----Original Message-----
    >From: Diego Teijeiro Ruiz [mailto:dteijeiro@azertia.com]
    >Sent: Thursday, April 28, 2005 5:51 AM
    >To: security-basics@securityfocus.com
    >Subject: software to control domain administrators
    >
    >
    >Does anyone know any software to control, audit, or restrict access or
    >privileges to domain administrators.
    >
    >thnx in advance
    >
    >
    >DTR
    >
    >
    >
    >-----------------------------------------------------------------------
    >Este mensaje y los documentos, que en su caso, lleve anexos, pueden
    >contener informacion confidencial y atane exclusivamente a las personas
    >a las que va dirigido. Cualquier opinion en el contenida, es exclusiva
    >de su autor y no representa necesariamente la opinion de AZERTIA. Si
    >usted no es el destinatario de este mensaje, considerese advertido de
    >que lo ha recibido por error y que cualquier uso, difusion o copia
    >estan prohibidos legalmente. Si ha recibido este mensaje por error, le
    >rogamos que nos lo comunique por la misma via o al telefono 93 207 55
    >11 y proceda a destruirlo inmediatamente.
    >
    >This email is confidential and intended solely for the use of the
    >individual to whom it is addressed. Any views or opinions presented are
    >solely those of the author and do not necessarily represent those of
    >AZERTIA. If you are not the intended recipient, be advised that you
    >have received this email in error and that any use, dissemination,
    >forwarding, printing, or copying of this email is strictly prohibited.
    >If you have received this email in error please notify it to AZERTIA by
    >telephone on number +34 93 207 55 11.
    >-----------------------------------------------------------------------
    >
    >

  • Next message: Ed Smith: "Encryption software"

    Relevant Pages

    • Re: Keep admins off of client machines
      ... something other than Domain Admin rights. ... and then you have a level I'll call the Data Administrators. ... manage your Domain if you intend for them to not have full control. ... > access to various machines, so we can't rely on inventorying profiles. ...
      (microsoft.public.windows.server.sbs)
    • Re: How do I get admin rights for all objects in a OU?
      ... net localgroup Administrators YourDomain\YourAccount /add ... > full control of the opjects themselfs in the AD snap-in. ... Simple admin tasks like ... > access restrictions. ...
      (microsoft.public.windows.server.active_directory)
    • Re: Admin accounts for Run As purposes only
      ... the approach to grant your folks only local admin rights won't work... ... > Administrators group of each server that needs to be managed. ... is this just as strong as a Domain Admin or is it more limited ...
      (microsoft.public.windows.server.active_directory)
    • Logon restiction for an active directory user.
      ... but it's probably easier if you just login as local admin. ... * Login as local admin (domain admin will work too) to the ... If it's a limited case situation such as an administrators ...
      (microsoft.public.win2000.active_directory)
    • Re: Finding a Hacker
      ... compromising the loca or domain admin acocunts, or by elevation, ... to get local admin rights on the machine used by the domain admin, ... If the hacker did get in remotely using an administrator account on ... Your problem is not restricting remote desktop connections. ...
      (microsoft.public.windows.server.active_directory)