RE: Restrict the Domain Admin

From: Craig Wright (cwright_at_bdosyd.com.au)
Date: 09/23/05

  • Next message: Harrison Holland: "Re: PGP email encryption" 
    Date: Fri, 23 Sep 2005 08:03:59 +1000
To: "Depp, Dennis M." <deppdm@ornl.gov>, "cc" <cc@belfordhk.com>, <security-basics@securityfocus.com>

    Everything is always a matter of technical and procedural. The next
    question is which domain privileges do you need, first and foremost the
    controls over the logging and audit trails should not be vested in a
    complete admin. Give one set of rights to internal audit and another to
    the general admin as an example.

    The default admin account gets -
    1 logged extensively
    2 split - i.e. have half the password entered by manager 1 and the
    other half by manager 2 or setup a token based auth and lock the token
    in a safe - there are many ways to do this and technology is not always
    the best answer.

    Have a change process to get access to the domain admin account on the
    few rare occasions where you need full access.

    Set the admin accounts that you create to have no rights to change audit
    for one account and no rights to do anything other than audit for the
    other (and this than goes to internal audit).

    Craig

    -----Original Message-----
    From: Depp, Dennis M. [mailto:deppdm@ornl.gov]
    Sent: 23 September 2005 1:41
    To: Craig Wright; cc; security-basics@securityfocus.com
    Subject: RE: Restrict the Domain Admin

    Hey Craig,

    Aren't these proceedural controls and not technical? Were you able to
    use Domain admin privs without these controls, or did this process
    somehow grant you domain admin access. I suspect it is the former and
    not the latter. Somebody has to be the holder of the keys, i.e. the
    Domain Admin password. If that is not you, then someone else must have
    had this password and given it to you when you needed it. If you
    already had the rights, then you could have used these privs with out
    signing the proper paperwork. True you can have auditing turned on to
    determine when someone uses their domain credentials, but this would
    only identify the credentials were used and not stop them from using
    them.

    Dennis

    -----Original Message-----
    From: Craig Wright [mailto:cwright@bdosyd.com.au]
    Sent: Tuesday, September 20, 2005 5:47 PM
    To: cc; security-basics@securityfocus.com
    Subject: RE: Restrict the Domain Admin

    Have we heard of segregation of duties?

    I am sorry but I have NEVER seen a site with more than 1 IT person where
    domain admins are needed for all tasks. It is not about whether you
    trust the person - minimise the exposure. The trust argument is just a
    waste of time.

    Even when I was an admin - I always made sure that I did not have
    complete control without going through a change process where everything
    is logged and checked - just to cover my own ass if something happened

    Craig

    PS
    Lets hope that you never have me doing a SOX, SAS70 or other audit of
    your site

    -----Original Message-----
    From: cc [mailto:cc@belfordhk.com]
    Sent: 20 September 2005 4:56
    To: security-basics@securityfocus.com
    Subject: Re: Restrict the Domain Admin

    sf_mail_sbm@yahoo.com sighed and wrote::

    > Hi List,
    > Is there a way to restrict access of a Domain Admin?

    Here's my $0.02.

    By restricting the access of a domain admin, you've already defeated the
    purpose of a domain admin. The main point of the matter is that in
    order for one person to be a domain admin, you must have extraordinary
    (or maybe just special) trust in both the person's ability and their
    standards of
    operating procedures. By restricting access to the domain
    admin, you are in essence saying, "Here's the domain access, but we
    don't trust you enough to give you the full 9 yards so we're restricting
    your access to these privileges."

    If you don't have 100% confidence in either the person's ability or
    their ethics, you really shouldn't be giving the person that much access
    to begin with.

    As some other poster (Mr. Armfield) mentioned here, eventually you'll
    need a person who has access to the whole nine yards.

  • Next message: Harrison Holland: "Re: PGP email encryption"

    Relevant Pages

    • Re: Domain Admins restriction
      ... > There is no such thing as a restricted domain administrator. ... >> few user files I want to restrict him from. ... >> I tried Domain Admin to the folders and then adding ... >> his name to these folder and restricting access, ...
      (microsoft.public.win2000.active_directory)
    • RE: Restrict the Domain Admin
      ... Aren't these proceedural controls and not technical? ... somehow grant you domain admin access. ... Subject: Restrict the Domain Admin ... trust the person - minimise the exposure. ...
      (Security-Basics)
    • Re: Restrict User account creation
      ... Even if you find a way to restrict him as domain admin, he also has the right to undo your restrictions. ... So make him normal user and delegate control. ... neccessary rights. ...
      (microsoft.public.windows.server.active_directory)
    • Re: Restrict Domain admins for Remote Desktop
      ... restrict users in same groups then either set up another security group, ... Administrators from using Remote Desktop onto my computer. ... want to restrict a domain admin and an administrator without ... restricting myself as I am also a domain admin and administrator. ...
      (microsoft.public.windowsxp.general)
    • Re: Client Access Rights
      ... This would only be a problem if the users in question had domain admin ... rights. ... > Note that while this will work in general, ultimately you can not restrict ... > separate domains or better yet separate forests. ...
      (microsoft.public.win2000.networking)