Re: How to resrict administrative access
From: Miha Pihler [MVP] (mihap-news_at_atlantis.si)
Date: 09/14/05
- Previous message: Karl Levinson, mvp: "Re: System Quarantining"
- In reply to: boomboom999_at_yahoo.com: "Re: How to resrict administrative access"
- Next in thread: boomboom999_at_yahoo.com: "Re: How to resrict administrative access"
- Reply: boomboom999_at_yahoo.com: "Re: How to resrict administrative access"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 14 Sep 2005 08:58:08 +0200
Hi,
My next suggestion was Steven already told you. Use Smart Cards (SC) for
Domain Administrator accounts. To go further have only few of these (as few
as possible). In the end I could perform social engineering attack on these
(e.g. in the bar after few beers with person who has such cards). So you
will have to set some policies in the end (e.g. if you give away such card
for any reason you will be fired...).
When I do the deployment of SC for my customers we try to use SC cards also
as proximity cards etc. In this case people can't leave or can't come into
the office if they forget it anywhere (this way SC is missed very soon)...
For one customer we recently tested the solution with SC where instead of
PIN you could use fingerprints
Now that we only have e.g. 4 or 5 of these cards how to administer the
servers? Delegate control (only give people permissions they need to have
for their work). I can't thing of any reason why Domain Administrator
account would need to logon to user's PC or Exchange server etc. For
administering user computers and e.g. Exchange servers use user accounts
that are member of local administrator groups but not Domain Administrator
group (or Enterprise Administrator ...). Domain Administrator accounts
should only be used on Domain Controllers which are (or should be) stored in
safe location.
This way Domain Administrators still have access to their tools, but social
engineering attack becomes very hard.
What I see as the problem in your case is you are trying to defend yourself
in case someone does steal domain administrator password. Unfortunately
there is no protection against someone who has administrator account. Your
domain is "owned" :-) if person knows what do to with information.
If you apply e.g. group policy (for e.g. IPSec) as Administrator I will
always be able to remove or change the policy (and policy)
Again ... there is no way to protect yourself against Administrators (or in
your case someone who guessed or stole or ... Administrator account). This
is why you have to protect it as much as possible and prevent this kind of
information -- and in this case you can use SC...
I hope this helps,
-- Mike Microsoft MVP - Windows Security <boomboom999@yahoo.com> wrote in message news:1126650018.782048.36200@g43g2000cwa.googlegroups.com... > Mike, > > Thank you for your comments but it is not what exactly we are looking > for. > We want to restrict logon attempts to an authorized subnet/computers as > a secondary mesure to prevent some scenario where the admin passwords > are stolen through a social engineering attack and silently used during > some time. > > In a big network where all the security management is based on Active > Directory integrity, this scenario will have a devastating impact. > > Actually, we are playing with restricting access to the INTERACTIVE > user and putting IPSec filters on RDP ports. However, the main drawback > of this approach is that we cannot use anymore remote tools and > utilities like "net use" etc. > > Any ideas will be appreciated. >
- Previous message: Karl Levinson, mvp: "Re: System Quarantining"
- In reply to: boomboom999_at_yahoo.com: "Re: How to resrict administrative access"
- Next in thread: boomboom999_at_yahoo.com: "Re: How to resrict administrative access"
- Reply: boomboom999_at_yahoo.com: "Re: How to resrict administrative access"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
