Security Basics mailing list archives
Re: 'Read only' Admin privileges for Active Directory environment?
From: Raoul Armfield <armfield () amnh org>
Date: Mon, 03 Jul 2006 15:00:42 -0400
Michael Gressick wrote:
This is a smaller company and a lot of the audits would be more manual. The problem specifically isnt that InfoSec can't be trusted, but more that the IT team can't be trusted. They have been caught in the past using service accounts (Blackberry acct for example) to perform day-to-day tasks. Their everyday accounts are in the Domain Admins group. We have found highly confidential file shares open to the entire company. All of this with normal domain admin rights. I worry what might be setup poorly/insecurely somewhere we can't see.
I must say though if you can not trust your Admins you have some issues that need to be dealt with before anything else. I believe that if you can not trust your admins even if you have a security team in place you need to replace the admins with trustworthy people. If the admin is any good he can hide his tracks so that unless you are actively looking for wrongdoing you will not be able to notice anything is wrong. Or he can even lead you down a wrong path.
Raoul -- Raoul Armfield rarmfield at amnh dot org --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Re: 'Read only' Admin privileges for Active Directory environment? Raoul Armfield (Jul 04)
- <Possible follow-ups>
- Re: 'Read only' Admin privileges for Active Directory environment? Saqib Ali (Jul 04)
- Re: Re: 'Read only' Admin privileges for Active Directory environment? sfmailsbm (Jul 05)
- Re: 'Read only' Admin privileges for Active Directory environment? Raoul Armfield (Jul 06)