Security Basics mailing list archives
RE: Restrict the Domain Admin
From: "Charles Otstot" <charles.otstot () ncmail net>
Date: Mon, 26 Sep 2005 09:17:32 -0400
Viewing the original post, it seems to me that the question wasn't whether domain admins were needed for *all* tasks, but whether accounts designated as domain admins (from the OS's perspective) could have their access limited so that those accounts could not perform *certain* tasks. At some point (whether logged or not, someone will need complete (domain admin) access. How you vet the need and how you control what occurs during the access is another question entirely. In this context, cc's answer is reasonable and correct. Perhaps the best answer for the original poster would be along the lines of an older, traditional response: Those people who are designated as domain administrators should have two accounts...One for their everyday tasks and one for their administrative tasks. The administrative account should only be used for administrative tasks requiring domain admin access. Yes, auditing and other checks and balances should be in place. More importantly, this leaves the primary remaining issues as management issues rather than technical (i.e. Here are the rules the organization deems appropriate, if you break the rules, there will be consequences). To recall a poster of some time ago from this very list, all too often we seem to find people looking for technical answers to what are basically management policy questions. We look to technical limiters to replace human management, all too often simply for the sake of using technology rather than approaching the problem through rational and sound human practices. In this case, if you have a domain admin who does something improper, you fire them and move on I realize this answer ignores "What if he/she steals confidential data or blows away your entire network, however, if you don't have those things covered by other policies, you've already missed the boat. Charlie -----Original Message----- From: Craig Wright [mailto:cwright () bdosyd com au] Sent: Tuesday, September 20, 2005 5:47 PM To: cc; security-basics () securityfocus com Subject: RE: Restrict the Domain Admin Have we heard of segregation of duties? I am sorry but I have NEVER seen a site with more than 1 IT person where domain admins are needed for all tasks. It is not about whether you trust the person - minimise the exposure. The trust argument is just a waste of time. Even when I was an admin - I always made sure that I did not have complete control without going through a change process where everything is logged and checked - just to cover my own ass if something happened Craig PS Lets hope that you never have me doing a SOX, SAS70 or other audit of your site -----Original Message----- From: cc [mailto:cc () belfordhk com] Sent: 20 September 2005 4:56 To: security-basics () securityfocus com Subject: Re: Restrict the Domain Admin sf_mail_sbm () yahoo com sighed and wrote::
Hi List, Is there a way to restrict access of a Domain Admin?
Here's my $0.02. By restricting the access of a domain admin, you've already defeated the purpose of a domain admin. The main point of the matter is that in order for one person to be a domain admin, you must have extraordinary (or maybe just special) trust in both the person's ability and their standards of operating procedures. By restricting access to the domain admin, you are in essence saying, "Here's the domain access, but we don't trust you enough to give you the full 9 yards so we're restricting your access to these privileges." If you don't have 100% confidence in either the person's ability or their ethics, you really shouldn't be giving the person that much access to begin with. As some other poster (Mr. Armfield) mentioned here, eventually you'll need a person who has access to the whole nine yards.
Current thread:
- Re: Restrict the Domain Admin, (continued)
- Re: Restrict the Domain Admin G. Chomic (Sep 19)
- Re: Restrict the Domain Admin Raoul Armfield (Sep 19)
- Re: Restrict the Domain Admin Pete Hunt (Sep 19)
- RE: Restrict the Domain Admin Brian Loe (Sep 19)
- Re: Restrict the Domain Admin cc (Sep 20)
- Re: Restrict the Domain Admin Cam Fischer (Sep 22)
- Re: Restrict the Domain Admin Glenn English (Sep 26)
- RE: Restrict the Domain Admin Brunner, Mark (Sep 19)
- RE: Restrict the Domain Admin Robert McIntyre (Sep 20)
- RE: Restrict the Domain Admin Craig Wright (Sep 22)
- RE: Restrict the Domain Admin Charles Otstot (Sep 26)
- RE: Restrict the Domain Admin Brian Loe (Sep 26)
- RE: Restrict the Domain Admin Depp, Dennis M. (Sep 22)
- RE: Restrict the Domain Admin Craig Wright (Sep 26)
- RE: Restrict the Domain Admin Craig Wright (Sep 26)
- Re: RE: Restrict the Domain Admin sf_mail_sbm (Sep 30)