RE: software to control domain administrators

[<LordInfidel () directionweb com>]

One of my co-workers pointed out that my response may of have come off
the wrong way...

First, Always **Audit Everything**......  I was not advocating 'not
auditing'.

Trustworthy Admins already do this with the explicit knowledge that they
themselves are subject to being audited and that their actions on the
network will be logged.  The point I was attempting to make before is
that a malicious admin or one that feels threatened has the power to
reverse that auditing, which the auditing mechanism should reflect
anyways. But the problem is compounded if the admin has access to the
logs, then there is nothing stopping them from covering their tracks.

I apologize if it confused anyone.   The overall theme remains the same,
if you can't explicitly trust the people who are running your network
then they should not be running it.

-----Original Message-----
From: LordInfidel () directionweb com [mailto:LordInfidel () directionweb com]

Sent: Thursday, May 05, 2005 6:02 PM
To: Diego Teijeiro Ruiz; security-basics () securityfocus com
Subject: RE: software to control domain administrators

Probably a little late, been busy, but I did not see a response yet to
this.

(assuming we are talking about NT/AD Domain Admins)

Honestly, if you are looking for something to audit domain admins, then
you have bigger problems.

Domain admins by the very nature of the account type, have complete
control over the domain, second to only enterprise admins.   Nothing you
install or do will prevent them from removing or modifying it.  Even
restricting them via NTFS permissions or GPO's does nothing since they
can just take ownership and modify the permissions.

Keep in mind that spying on a domain admin can have catastrophic effects
if they feel threatened by it since they can easily mess up an entire
network.

Basically, If you can not trust your domain admin(s), then they should
probably not be a domain admin and removed from that position of trust.

JMO

-----Original Message-----
From: Diego Teijeiro Ruiz [mailto:dteijeiro () azertia com]
Sent: Thursday, April 28, 2005 5:51 AM
To: security-basics () securityfocus com
Subject: software to control domain administrators


Does anyone know any software to control, audit, or restrict access or
privileges to domain administrators. 

thnx in advance


DTR



-----------------------------------------------------------------------
Este mensaje y los documentos, que en su caso, lleve anexos, pueden
contener informacion confidencial y atane exclusivamente a las personas
a las que va dirigido. Cualquier opinion en el contenida, es exclusiva
de su autor y no representa necesariamente la opinion de AZERTIA. Si
usted no es el destinatario de este mensaje, considerese advertido de
que lo ha recibido por error y que cualquier uso, difusion o copia estan
prohibidos legalmente. Si ha recibido este mensaje por error, le rogamos
que nos lo comunique por la misma via o al telefono 93 207 55 11 y
proceda a destruirlo inmediatamente.

This email is confidential and intended solely for the use of the
individual to whom it is addressed. Any views or opinions presented are
solely those of the author and do not necessarily represent those of
AZERTIA. If you are not the intended recipient, be advised that you have
received this email in error and that any use, dissemination,
forwarding, printing, or copying of this email is strictly prohibited.
If you have received this email in error please notify it to AZERTIA by
telephone on number +34 93 207 55 11.
-----------------------------------------------------------------------