Educause Security Discussion mailing list archives
Re: Windows Domain Controllers: Risks involved
From: David Gillett <gillettdavid () FHDA EDU>
Date: Tue, 17 Mar 2009 10:31:15 -0700
- Domain admins can access the files of any computer in the domain. How do you ensure the confidentiality and privacy of users and data?
You do what you can to staff these positions with trustworthy people. If this is an extremely sensitive area, you add monitoring and Separation of Duties so that none of them can abuse this privilege without someone else knowing about it. I worked in a place where some users with Local Admin rights routinely deleted the Domain Admins group from Local Admins on their machines. We rolled out a change to our standard login script that would add it back...
- In you implementations, do you include the computers of the top management?
Excluding such machines is the WRONG way to "secure" them. In that same place, the machines of the top executives were excluded with the result that they were the worst secured and maintained computers in the company. Ideally, sensitive data shouldn't live on anyone's desktop or laptop machine, but on a secured and backed-up server. But that just moves the question above from concerns about the Domain Admins to the exact same concerns about the sysadmins of that storage server....
- Do you give faculty and staff, high level access to install applications, or installation requests have be channeled to the domain admins?
Having a domain doesn't mean users *can't* have Local Admin rights on their machines, but that's a separate discussion. We've found that for *most* users, having to have a tech call on them when they need to do something requiring Local Admin rights is a good way to cut down on repair calls after they've shot themselves in the foot. Generally those techs are not Domain Admins either. David Gillett
Current thread:
- Re: Windows Domain Controllers: Risks involved, (continued)
- Re: Windows Domain Controllers: Risks involved Miller, Don C. (Mar 13)
- Re: Windows Domain Controllers: Risks involved Chris Green (Mar 13)
- Re: Windows Domain Controllers: Risks involved Anand S Malwade (Mar 13)
- Re: Windows Domain Controllers: Risks involved Brian Desmond (Mar 13)
- Re: Windows Domain Controllers: Risks involved Brian Desmond (Mar 13)
- Re: Windows Domain Controllers: Risks involved Jason Testart (Mar 13)
- Re: Windows Domain Controllers: Risks involved Brian Desmond (Mar 13)
- Re: Windows Domain Controllers: Risks involved Marmina Abdel Malek (Mar 13)
- Re: Windows Domain Controllers: Risks involved Brian Desmond (Mar 13)
- Re: Windows Domain Controllers: Risks involved Ryan S. Johnston (Mar 16)
- Re: Windows Domain Controllers: Risks involved David Gillett (Mar 17)