Re: 'Read only' Admin privileges for Active Directory environment?

This is a smaller company and a lot of the audits would be more
manual. The problem specifically isnt that InfoSec can't be trusted,
but more that the IT team can't be trusted. They have been caught in
the past using service accounts (Blackberry acct for example) to
perform day-to-day tasks. Their everyday accounts are in the Domain
Admins group. We have found highly confidential file shares open to
the entire company. All of this with normal domain admin rights. I
worry what might be setup poorly/insecurely somewhere we can't see.

We don't need Domain Admin rights specifically, just some time of
equivalent 'read only' permissions so we can be sure nothing is 'being
hidden'. Beyond just a normal 'auditng tool (we were actually looking
at ScriptLogic's Enterprise Security Reporter) I was hoping to just
check up on making sure best practices were followed.



On 6/27/06, Saqib Ali <docbook.xml@xxxxxxxxx> wrote:
I don't see why your InfoSec team require Domain Admin rights to
perform an Audit. Something is fishy.

Usually large enterprises install auditing products like NetIQ, Quest,
Enterprise Security Manager etc, and the reports from these tools are
handed over to the InfoSec dept.

On 6/27/06, Michael Gressick <mgressick@xxxxxxxxx> wrote:
> Hello,
> Our InfoSec team has requested Domain Admin (or equivalent) privileges
> on the corporate Active Directory to audit the environment's security.
> The IT team in charge of this environment doesn't want to grant that
> level of privilege. InfoSec then requested a 'read-only' equivalent
> to everything in the Active Directory. The IT team hasn't been able
> to provide this. So my questions...
>
> 1) Is there an easy mechanism to grant a security group 'domain admin
> read only'? This would need to cover all aspects of the Active
> Directory, including all services, servers, any type of access
> Domain/Enterprise Admins would have, just not change anything.
> (Exchange, SQL, File servers, the works) I was told a product named
> Active Roles might solve this, but it seems quite expensive and way
> beyond the scope of what we need. Is there anything besides creating
> a new group and manually applying permissions for this group
> everywhere in the environment?
>
> 2) How does your company (assuming you have a seperate security team)
> provide access to the InfoSec team to audit/secure AD? Do you give
> full admin rights, or what have you guys come up with?
>
> Thanks
> Mike
>
> ---------------------------------------------------------------------------
> This list is sponsored by: Norwich University
>
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The NSA has designated Norwich University a center of Academic Excellence
> in Information Security. Our program offers unparalleled Infosec management
> education and the case study affords you unmatched consulting experience.
> Using interactive e-Learning technology, you can earn this esteemed degree,
> without disrupting your career or home life.
>
> http://www.msia.norwich.edu/secfocus
> ---------------------------------------------------------------------------
>
>


--
Saqib Ali, CISSP, ISSAP
Support http://www.capital-punishment.net
-----------
"I fear, if I rebel against my Lord, the retribution of an Awful Day
(The Day of Resurrection)" Al-Quran 6:15
-----------


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Relevant Pages

  • Re: Read only Admin privileges for Active Directory environment?
    ... I don't see why your InfoSec team require Domain Admin rights to ... Our InfoSec team has requested Domain Admin privileges ... on the corporate Active Directory to audit the environment's security. ...
    (Security-Basics)
  • Re: Federally Mandated Certification of cybersecurity professionals?
    ... Security field is expanding by leaps and bounds due to government ... government certification" will have a job for life, ... Learn all of the latest penetration testing techniques in InfoSec ...
    (Pen-Test)
  • Re: Automatic Security Patching for Debian
    ... securing a box (with some preference towards Debian GNU/Linux). ... software that isn't vulnerable but does present some infosec ... system is a special package repository specifically for security fixes. ... Our next two categories, weak software and configuration issues, are ...
    (Security-Basics)
  • Starting A New Job Today!
    ... working as a Mainframe Security Architect for InfoSec, Inc. InfoSec, Inc. ... improvement, security system interoperability, security system conversion or ...
    (bit.listserv.ibm-main)
  • RE: [Full-Disclosure] Super Worm
    ... the jobs the "dimwits" are doing? ... Infosec guy at investment bank...you structure ... keeping their eyes open for security problems from physical ...
    (Full-Disclosure)