Security Basics mailing list archives
RE: Restrict the Domain Admin
From: "Craig Wright" <cwright () bdosyd com au>
Date: Fri, 23 Sep 2005 05:26:18 +1000
Yes it sounds that way in theory, but you can split the authentication between several people (have them each type a char and put their section in a safe) Have a smart card token or other means for that 1 account and lock this away stop access to root on unix linux and have su-do (or similar) setup Any right can be assigned under Microsoft. Craig -----Original Message----- From: Brian Loe [mailto:knobdy () stjoelive com] Sent: Fri 23/09/2005 5:17 AM To: Craig Wright; 'cc'; security-basics () securityfocus com Cc: Subject: RE: Restrict the Domain Admin I think the point is that there has to be at least ONE domain admin, you can't avoid it. You have to have root, and you have to have domain admins. What they log in as, under what IDs and with what privileges, is besides the point. Besides the simple fact that Microsoft doesn't, as far as I know, give you the option of applying every right to any user you choose.
Current thread:
- Re: Restrict the Domain Admin, (continued)
- Re: Restrict the Domain Admin cc (Sep 20)
- Re: Restrict the Domain Admin Cam Fischer (Sep 22)
- Re: Restrict the Domain Admin Glenn English (Sep 26)
- RE: Restrict the Domain Admin Brunner, Mark (Sep 19)
- RE: Restrict the Domain Admin Robert McIntyre (Sep 20)
- RE: Restrict the Domain Admin Craig Wright (Sep 22)
- RE: Restrict the Domain Admin Charles Otstot (Sep 26)
- RE: Restrict the Domain Admin Brian Loe (Sep 26)
- RE: Restrict the Domain Admin Depp, Dennis M. (Sep 22)
- RE: Restrict the Domain Admin Craig Wright (Sep 26)
- RE: Restrict the Domain Admin Craig Wright (Sep 26)
- Re: RE: Restrict the Domain Admin sf_mail_sbm (Sep 30)