Security Basics mailing list archives
RE: software to control domain administrators
From: "Beauford, Jason" <jbeauford () EightInOnePet com>
Date: Mon, 9 May 2005 12:23:20 -0400
This is one of those topics that come up when U.M.(upper management) starts asking questions about I.T. stuff of which they know nothing or very little about. It's best just to quell their fears with any means possible before it gets out of hand. Somehow they are introduced to the fact that Domain Admins have complete access to all data on the network, which includes critical business files, accounting data and probably their personal emails and pr0n. Then they get into a mode on how they can limit Domain Admin access so that they will not be able to view the above mentioned data. So how can they then? Provide solace by explaining that Application security can be implemented to prohibit Domain Admin access. For instance, if your Accounting Software provides the ability for users to log in, do not disclose usernames and passwords to the Domain Admin. (Personally, as a D.A. I don't want to know any of that information. I don't want anyone being able to accuse me of tampering with any of that.) If your software isn't that advanced and you're using excel files, set passwords on viewing or changing the files. Certainly if we try hard enough, we can get access to the data via password crackers or social engineering etc.., however the end user will at least be pacified enough to get back to their work and stop worrying about what the Domain Admin is looking at. Additionally, provide them (Upper Management or End Users) with auditing tools or reports of some sort. They like that kind of thing. $.02 deposited. -jmb -----Original Message----- From: LordInfidel [mailto:LordInfidel () directionweb com] Sent: Monday, May 09, 2005 9:27 AM To: Andrew Shore; Diego Teijeiro Ruiz; security-basics () securityfocus com Subject: RE: software to control domain administrators I have to disagree, after reading about their products, no where does it state that it can lock out domain admins, at least no where that I read.
From what I read the bulk of their products are central mgmt tools
designed to manage regular users, not the all powerful domain administrator. According to an faq on their site (from their cloak product): Q: Is the Administrator account ever restricted? A: No. Cloak will not filter the requests from any user that belongs to the local Administrators group on the host server. The LocalSystem account is also exempt. Cloak would not ever want to get in the way of your nightly tape backup operations (Domain Admins are automatically placed in the local admin group of every machine, both the desktop and server that is a member of that domain.) This is not to say it can't be done. You can, via NTFS permissions, remove the domain admin group from having full control thus removing them from the permissions of those objects. But nothing will stop them from re-adding themselves back in via their inherited power of "Take Ownership". This is where logging is very important and needs to be enabled, which I strongly advocate and the scriptlogic tool "Enterprise Security Reporter" does just that while reporting in a central location. But file permissions needs to be audited on a regular basis and analyzed. Just always keep in mind, Nothing is stopping a domain admin from resetting the password to an account that does have access and then logging on as that user and accessing the data. Or they can take a more hostile approach, not resetting the password and grabbing the lmhashes either off of the wire (LC4) or from the domains sam, then using off-line techniques, crack passwords of accounts that do have access to the files. Again, if you can't trust the person who is supposed to be managing your network, then they should not be put in that position. -----Original Message-----
Current thread:
- RE: software to control domain administrators LordInfidel (May 06)
- <Possible follow-ups>
- RE: software to control domain administrators LordInfidel (May 09)
- Re: software to control domain administrators Charles Fraser (May 09)
- RE: software to control domain administrators Andrew Shore (May 09)
- RE: software to control domain administrators LordInfidel (May 09)
- RE: software to control domain administrators Andrew Shore (May 09)
- RE: software to control domain administrators Beauford, Jason (May 09)
- RE: software to control domain administrators LordInfidel (May 09)
- RE: software to control domain administrators Keenan Smith (May 11)
- RE: software to control domain administrators Bundschuh, Anthony D (May 10)
- RE: software to control domain administrators Bundschuh, Anthony D (May 12)