Security Basics mailing list archives
RE: software to control domain administrators
From: "Keenan Smith" <kc_smith () clark net>
Date: Wed, 11 May 2005 14:49:31 -0400
All, I'm going to move myself out of the weeds on this one and share a 25,000 foot perspective. On any computer, there has to be a "super user" procedure of some sort that can bypass any protections placed on the system. Without a capability like this, any misbehaving application, malicious user or runaway process has the potential to require a rebuild of the system as the only solution. Limiting the rights and privileges of the "super user" would be dangerous in that a simple mis-configuration could eliminate access to "super user" and therefore limit access to the resources necessary to reconfigure. In the Unix world, there has been a tool named "SuDo" for many years. The application itself runs as the user "root" and can be configured by "root" to allow one or more other users access. Running that application allows any properly configured user to run a command as "root" without actually having to be "root". For traceability the execution is logged making it a safer way to run "root" commands. I believe that the application being mentioned here is a similar product for Windows. (i.e. Applications can be run as the "domain admin" without the user actually having to be a "domain admin".) Keenan
Current thread:
- RE: software to control domain administrators LordInfidel (May 06)
- <Possible follow-ups>
- RE: software to control domain administrators LordInfidel (May 09)
- Re: software to control domain administrators Charles Fraser (May 09)
- RE: software to control domain administrators Andrew Shore (May 09)
- RE: software to control domain administrators LordInfidel (May 09)
- RE: software to control domain administrators Andrew Shore (May 09)
- RE: software to control domain administrators Beauford, Jason (May 09)
- RE: software to control domain administrators LordInfidel (May 09)
- RE: software to control domain administrators Keenan Smith (May 11)
- RE: software to control domain administrators Bundschuh, Anthony D (May 10)
- RE: software to control domain administrators Bundschuh, Anthony D (May 12)