Security Basics mailing list archives
RE: software to control domain administrators
From: "Bundschuh, Anthony D" <ANTHONY.D.BUNDSCHUH () saic com>
Date: Wed, 11 May 2005 13:39:37 -0700
I believe you are correct in your assessment. In the Windows world, there are ways to control the permissions any given user has. You can give different levels of administration permissions through group membership and AD design, such as Container Admin, Password Resets, etc. All of these access can be logged in the same way as any other audit function, and these users would not necessarily have access to the logs to cover their tracks. But this does not negate the need for a Domain Admin or SU as you pointed out. You made an excellent point that total access is needed in some cases. But I fell that the point is being lost here again. The originator of this topic wants to control the accesses that Domain Admins have, and log their actions also. Their actions should already be logged, but nothing prevents them from removing them short of a remote logging server. I am not confident that such a measure would prevent them from disabling logging on any machine that they wished, which Domain Admins can do. If a product exists that can limit Domain Admin permissions (which the ability already exists in Windows through the use of group membership) there will still needs to be someone that is all powerful. Sorry, just a fact of computing. This all goes back to the answer given many times already: If the people running you network are not trustworthy, they should not be running your network. -----Original Message----- From: Keenan Smith [mailto:kc_smith () clark net] Sent: Wednesday, May 11, 2005 12:50 PM To: security-basics () securityfocus com Subject: RE: software to control domain administrators All, I'm going to move myself out of the weeds on this one and share a 25,000 foot perspective. On any computer, there has to be a "super user" procedure of some sort that can bypass any protections placed on the system. Without a capability like this, any misbehaving application, malicious user or runaway process has the potential to require a rebuild of the system as the only solution. Limiting the rights and privileges of the "super user" would be dangerous in that a simple mis-configuration could eliminate access to "super user" and therefore limit access to the resources necessary to reconfigure. In the Unix world, there has been a tool named "SuDo" for many years. The application itself runs as the user "root" and can be configured by "root" to allow one or more other users access. Running that application allows any properly configured user to run a command as "root" without actually having to be "root". For traceability the execution is logged making it a safer way to run "root" commands. I believe that the application being mentioned here is a similar product for Windows. (i.e. Applications can be run as the "domain admin" without the user actually having to be a "domain admin".) Keenan
Current thread:
- RE: software to control domain administrators LordInfidel (May 06)
- <Possible follow-ups>
- RE: software to control domain administrators LordInfidel (May 09)
- Re: software to control domain administrators Charles Fraser (May 09)
- RE: software to control domain administrators Andrew Shore (May 09)
- RE: software to control domain administrators LordInfidel (May 09)
- RE: software to control domain administrators Andrew Shore (May 09)
- RE: software to control domain administrators Beauford, Jason (May 09)
- RE: software to control domain administrators LordInfidel (May 09)
- RE: software to control domain administrators Keenan Smith (May 11)
- RE: software to control domain administrators Bundschuh, Anthony D (May 10)
- RE: software to control domain administrators Bundschuh, Anthony D (May 12)