Re: Accountability of Domain Admins

From: Joe Richards [MVP] (humorexpress_at_hotmail.com)
Date: 01/23/04 

Date: Fri, 23 Jan 2004 00:00:46 -0500

The only thing you can do is crank up logging, having agents on the machine
that pick up the logs and shoot them to a centralized source that the DA's
don't have access to. Of course nothing stopping the knowledgeable DA from
stopping the agent sending the messages back when they go do something
bad... The DAs can always clean up, it may look suspicious but nothing you
can prove type of thing.

Basically if you don't have trust in your DA's you are screwed, they are
god. Same for any system or OS. God is god, you have to trust her. 

-- 
www.joeware.net
"Skarch" <noreply@x859mvic.com> wrote in message
news:uLgAmvQ4DHA.2332@TK2MSFTNGP10.phx.gbl...
> Kind of a different question here, if I should post to another newsgroup,
> please advise...
>
> I'm in a situation were there's more than one Domain Admin (including me)
> and there are some trust issues coming up.  Like reading other peoples
> email, remote accessing user root drives and poking around, etc.
>
> I looking for some advice on how to approach resolving these issues.  Even
> if all the DAs were completely trustworthy, what procedures or methods of
> accountability are there that would ensure continued trust?  For example,
> how would the VP know he can trust the IT department to not snoop on his
> desktop system?
>
> For us, unfortunately some of this is going on, but at the moment there's
no
> defined way to track or prove it.
>
> I can think of a few things, like tracking Admin logins, password reset
> procedures, killing admins shares, etc, but I'm hoping there might be
> real-world examples out there of IT departments that already have similar
> procedures in place.
>
> Any thoughts, examples or pointers to web resources are much appreciated!
>
> Thanks,
> SK
>
>
>