RE: software to control domain administrators

["Beauford, Jason" <jbeauford () EightInOnePet com>]

This is one of those topics that come up when U.M.(upper management)
starts asking questions about I.T. stuff of which they know nothing or
very little about.

It's best just to quell their fears with any means possible before it
gets out of hand.  Somehow they are introduced to the fact that Domain
Admins have complete access to all data on the network, which includes
critical business files, accounting data and probably their personal
emails and pr0n.

Then they get into a mode on how they can limit Domain Admin access so
that they will not be able to view the above mentioned data.

So how can they then?

Provide solace by explaining that Application security can be
implemented to prohibit Domain Admin access.  For instance, if your
Accounting Software provides the ability for users to log in, do not
disclose usernames and passwords to the Domain Admin. (Personally, as a
D.A. I don't want to know any of that information.  I don't want anyone
being able to accuse me of tampering with any of that.)  If your
software isn't that advanced and you're using excel files, set passwords
on viewing or changing the files.

Certainly if we try hard enough, we can get access to the data via
password crackers or social engineering etc.., however the end user will
at least be pacified enough to get back to their work and stop worrying
about what the Domain Admin is looking at.

Additionally, provide them (Upper Management or End Users) with auditing
tools or reports of some sort.  They like that kind of thing. 

$.02 deposited.

-jmb

-----Original Message-----
From: LordInfidel [mailto:LordInfidel () directionweb com] 
Sent: Monday, May 09, 2005 9:27 AM
To: Andrew Shore; Diego Teijeiro Ruiz; security-basics () securityfocus com
Subject: RE: software to control domain administrators


I have to disagree, after reading about their products, no where does it
state that it can lock out domain admins, at least no where that I read.
> From what I read the bulk of their products are central mgmt tools
designed to manage regular users, not the all powerful domain
administrator.

According to an faq on their site (from their cloak product):

Q: Is the Administrator account ever restricted? 
A: No. Cloak will not filter the requests from any user that belongs to
the local Administrators group on the host server. The LocalSystem
account is also exempt. Cloak would not ever want to get in the way of
your nightly tape backup operations

(Domain Admins are automatically placed in the local admin group of
every machine, both the desktop and server that is a member of that
domain.)

This is not to say it can't be done.  You can, via NTFS permissions,
remove the domain admin group from having full control thus removing
them from the permissions of those objects.  But nothing will stop them
from re-adding themselves back in via their inherited power of "Take
Ownership".  

This is where logging is very important and needs to be enabled, which I
strongly advocate and the scriptlogic tool "Enterprise Security
Reporter" does just that while reporting in a central location.  But
file permissions needs to be audited on a regular basis and analyzed.

Just always keep in mind, Nothing is stopping a domain admin from
resetting the password to an account that does have access and then
logging on as that user and accessing the data.  Or they can take a more
hostile approach, not resetting the password and grabbing the lmhashes
either off of the wire (LC4) or from the domains sam, then using
off-line techniques, crack passwords of accounts that do have access to
the files.

Again, if you can't trust the person who is supposed to be managing your
network, then they should not be put in that position.

-----Original Message-----