RE: software to control domain administrators

["Bundschuh, Anthony D" <ANTHONY.D.BUNDSCHUH () saic com>]

I believe you are correct in your assessment.  

In the Windows world, there are ways to control the permissions any given
user has.  You can give different levels of administration permissions
through group membership and AD design, such as Container Admin, Password
Resets, etc.  All of these access can be logged in the same way as any other
audit function, and these users would not necessarily have access to the
logs to cover their tracks.  But this does not negate the need for a Domain
Admin or SU as you pointed out.  

You made an excellent point that total access is needed in some cases.  But
I fell that the point is being lost here again.  The originator of this
topic wants to control the accesses that Domain Admins have, and log their
actions also.  Their actions should already be logged, but nothing prevents
them from removing them short of a remote logging server.  I am not
confident that such a measure would prevent them from disabling logging on
any machine that they wished, which Domain Admins can do.  If a product
exists that can limit Domain Admin permissions (which the ability already
exists in Windows through the use of group membership) there will still
needs to be someone that is all powerful.  Sorry, just a fact of computing.


This all goes back to the answer given many times already:  If the people
running you network are not trustworthy, they should not be running your
network.   

-----Original Message-----
From: Keenan Smith [mailto:kc_smith () clark net] 
Sent: Wednesday, May 11, 2005 12:50 PM
To: security-basics () securityfocus com
Subject: RE: software to control domain administrators

All,

I'm going to move myself out of the weeds on this one and share a 25,000
foot perspective.

On any computer, there has to be a "super user" procedure of some sort that
can bypass any protections placed on the system.  Without a capability like
this, any misbehaving application, malicious user or runaway process has the
potential to require a rebuild of the system as the only solution.

Limiting the rights and privileges of the "super user" would be dangerous in
that a simple mis-configuration could eliminate access to "super user" and
therefore limit access to the resources necessary to reconfigure.

In the Unix world, there has been a tool named "SuDo" for many years.
The application itself runs as the user "root" and can be configured by
"root" to allow one or more other users access.  Running that application
allows any properly configured user to run a command as "root" without
actually having to be "root".  For traceability the execution is logged
making it a safer way to run "root" commands.  I believe that the
application being mentioned here is a similar product for Windows. (i.e.
Applications can be run as the "domain admin" without the user actually
having to be a "domain admin".)

Keenan