RE: 'Read only' Admin privileges for Active Directory environment?

["Roger A. Grimes" <roger () banneretcs com>]

There might be better answers, but here are two of mine off the top of
my head:

1. Use the Delgation wizard. Open up Active Directory Sites and Services
and highlight one or more sites, then right-click and choose Delegation.
This will start the Delegate Control Wizard. Add the audit user's
account, then choose Custom and select all the objects you want the
auditor to manage (User, OU, etc.) and then choose the permission(s) you
want them to have (i.e. Read Properties, Read, etc.).  This might be the
best answer.

2. 
Regular, non-admin users have read-only (& execute, which doesn't apply
to most things) permissions access to nearly every thing you mention
below. You might have to add Allow-Read Permissions (to the objects to
be monitored) to the auditor as well, so they can audit the security
permissions, if that is needed. You might have to give them access to
the Security log as well, which is an additional privilege/permission.
But as far as I can tell from what you say below, any non-admin user
account works fairly well for what you want.

The work is in allowing the auditor to have access to all computers and
objects in the domain/forest. This is something normally only admins
have (because the domain admins group is added the the local
Administrator group of all domain computers). To give a non-admin user
the same ability, they have to be added to the local Users group on each
domain computer. This can be done relatively easily using group policy.

Now keep in mind that whatever can be read can be copied, printed, etc.
And any user will have Full Control to any object that has Users, Domain
Users, or Authenticated Users with Full Control. This includes any
custom created permissions plus anything the user creates, plus the
Windows temp folder, plus Temporary Internet Files.

Roger

*****************************************************************
*Roger A. Grimes, InfoWorld, Security Columnist 
*CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada...
*email: roger_grimes () infoworld com or roger () banneretcs com
*Author of Professional Windows Desktop and Server Hardening (Wrox)
*http://www.amazon.com/gp/product/0764599909
*****************************************************************



-----Original Message-----
From: Michael Gressick [mailto:mgressick () gmail com] 
Sent: Tuesday, June 27, 2006 3:52 PM
To: security-basics () securityfocus com
Subject: 'Read only' Admin privileges for Active Directory environment?

Hello,
Our InfoSec team has requested Domain Admin (or equivalent) privileges
on the corporate Active Directory to audit the environment's security.
 The IT team in charge of this environment doesn't want to grant that
level of privilege.  InfoSec then requested a 'read-only' equivalent to
everything in the Active Directory.  The IT team hasn't been able to
provide this.  So my questions...

1) Is there an easy mechanism to grant a security group 'domain admin
read only'?  This would need to cover all aspects of the Active
Directory, including all services, servers, any type of access
Domain/Enterprise  Admins would have, just not change anything.
(Exchange, SQL, File servers, the works)  I was told a product named
Active Roles might solve this, but it seems quite expensive and way
beyond the scope of what we need.  Is there anything besides creating a
new group and manually applying permissions for this group everywhere in
the environment?

2)  How does your company (assuming you have a seperate security team)
provide access to the InfoSec team to audit/secure AD? Do you give full
admin rights, or what have you guys come up with?

Thanks
Mike

------------------------------------------------------------------------
---
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has
designated Norwich University a center of Academic Excellence in
Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting
experience. 
Using interactive e-Learning technology, you can earn this esteemed
degree, without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------