Security Basics mailing list archives

RE: Restrict the Domain Admin

From: "Craig Wright" <cwright () bdosyd com au>
Date: Fri, 23 Sep 2005 05:26:18 +1000

Yes it sounds that way in theory, but you can split the authentication between several people (have them each type a 
char and put their section in a safe) 
 
Have a smart card token or other means for that 1 account and lock this away
 
stop access to root on unix linux and have su-do (or similar) setup
 
Any right can be assigned under Microsoft.
 
Craig

        -----Original Message----- 
        From: Brian Loe [mailto:knobdy () stjoelive com] 
        Sent: Fri 23/09/2005 5:17 AM 
        To: Craig Wright; 'cc'; security-basics () securityfocus com 
        Cc: 
        Subject: RE: Restrict the Domain Admin
        
        
        I think the point is that there has to be at least ONE domain admin, you
        can't avoid it. You have to have root, and you have to have domain admins.
        What they log in as, under what IDs and with what privileges, is besides the
        point.
        
        Besides the simple fact that Microsoft doesn't, as far as I know, give you
        the option of applying every right to any user you choose.

Current thread:

Re: Restrict the Domain Admin, (continued)
- Re: Restrict the Domain Admin cc (Sep 20)
- Re: Restrict the Domain Admin Cam Fischer (Sep 22)
  - Re: Restrict the Domain Admin Glenn English (Sep 26)
- RE: Restrict the Domain Admin Brunner, Mark (Sep 19)
- RE: Restrict the Domain Admin Robert McIntyre (Sep 20)
- RE: Restrict the Domain Admin Craig Wright (Sep 22)
  - RE: Restrict the Domain Admin Charles Otstot (Sep 26)
  - RE: Restrict the Domain Admin Brian Loe (Sep 26)
- RE: Restrict the Domain Admin Depp, Dennis M. (Sep 22)
- RE: Restrict the Domain Admin Craig Wright (Sep 26)
- RE: Restrict the Domain Admin Craig Wright (Sep 26)
- Re: RE: Restrict the Domain Admin sf_mail_sbm (Sep 30)