Security Basics mailing list archives
RE: Restrict the Domain Admin
From: "Craig Wright" <cwright () bdosyd com au>
Date: Fri, 23 Sep 2005 08:03:59 +1000
Everything is always a matter of technical and procedural. The next question is which domain privileges do you need, first and foremost the controls over the logging and audit trails should not be vested in a complete admin. Give one set of rights to internal audit and another to the general admin as an example. The default admin account gets - 1 logged extensively 2 split - i.e. have half the password entered by manager 1 and the other half by manager 2 or setup a token based auth and lock the token in a safe - there are many ways to do this and technology is not always the best answer. Have a change process to get access to the domain admin account on the few rare occasions where you need full access. Set the admin accounts that you create to have no rights to change audit for one account and no rights to do anything other than audit for the other (and this than goes to internal audit). Craig -----Original Message----- From: Depp, Dennis M. [mailto:deppdm () ornl gov] Sent: 23 September 2005 1:41 To: Craig Wright; cc; security-basics () securityfocus com Subject: RE: Restrict the Domain Admin Hey Craig, Aren't these proceedural controls and not technical? Were you able to use Domain admin privs without these controls, or did this process somehow grant you domain admin access. I suspect it is the former and not the latter. Somebody has to be the holder of the keys, i.e. the Domain Admin password. If that is not you, then someone else must have had this password and given it to you when you needed it. If you already had the rights, then you could have used these privs with out signing the proper paperwork. True you can have auditing turned on to determine when someone uses their domain credentials, but this would only identify the credentials were used and not stop them from using them. Dennis -----Original Message----- From: Craig Wright [mailto:cwright () bdosyd com au] Sent: Tuesday, September 20, 2005 5:47 PM To: cc; security-basics () securityfocus com Subject: RE: Restrict the Domain Admin Have we heard of segregation of duties? I am sorry but I have NEVER seen a site with more than 1 IT person where domain admins are needed for all tasks. It is not about whether you trust the person - minimise the exposure. The trust argument is just a waste of time. Even when I was an admin - I always made sure that I did not have complete control without going through a change process where everything is logged and checked - just to cover my own ass if something happened Craig PS Lets hope that you never have me doing a SOX, SAS70 or other audit of your site -----Original Message----- From: cc [mailto:cc () belfordhk com] Sent: 20 September 2005 4:56 To: security-basics () securityfocus com Subject: Re: Restrict the Domain Admin sf_mail_sbm () yahoo com sighed and wrote::
Hi List, Is there a way to restrict access of a Domain Admin?
Here's my $0.02. By restricting the access of a domain admin, you've already defeated the purpose of a domain admin. The main point of the matter is that in order for one person to be a domain admin, you must have extraordinary (or maybe just special) trust in both the person's ability and their standards of operating procedures. By restricting access to the domain admin, you are in essence saying, "Here's the domain access, but we don't trust you enough to give you the full 9 yards so we're restricting your access to these privileges." If you don't have 100% confidence in either the person's ability or their ethics, you really shouldn't be giving the person that much access to begin with. As some other poster (Mr. Armfield) mentioned here, eventually you'll need a person who has access to the whole nine yards.
Current thread:
- RE: Restrict the Domain Admin, (continued)
- RE: Restrict the Domain Admin Brian Loe (Sep 19)
- Re: Restrict the Domain Admin cc (Sep 20)
- Re: Restrict the Domain Admin Cam Fischer (Sep 22)
- Re: Restrict the Domain Admin Glenn English (Sep 26)
- RE: Restrict the Domain Admin Brunner, Mark (Sep 19)
- RE: Restrict the Domain Admin Robert McIntyre (Sep 20)
- RE: Restrict the Domain Admin Craig Wright (Sep 22)
- RE: Restrict the Domain Admin Charles Otstot (Sep 26)
- RE: Restrict the Domain Admin Brian Loe (Sep 26)
- RE: Restrict the Domain Admin Depp, Dennis M. (Sep 22)
- RE: Restrict the Domain Admin Craig Wright (Sep 26)
- RE: Restrict the Domain Admin Craig Wright (Sep 26)
- Re: RE: Restrict the Domain Admin sf_mail_sbm (Sep 30)