Security Basics mailing list archives

RE: 'Read only' Admin privileges for Active Directory environment?

From: "Eric Pinkerton" <EPinkerton () soulaustralia com au>
Date: Wed, 28 Jun 2006 13:52:29 +1000

If they grant read access to the AD, then it would likely be a matter of
seconds rather than minutes until the Infosec team came up with a
password for an account with full access, hence their efforts would be
in vain.

They should be applauded for their hesitance, but encouraged to think
about the problem they are trying to solve.


-----Original Message-----
From: Michael Gressick [mailto:mgressick () gmail com]
Sent: Wednesday, 28 June 2006 5:52 AM
To: security-basics () securityfocus com
Subject: 'Read only' Admin privileges for Active Directory environment?

Hello,
Our InfoSec team has requested Domain Admin (or equivalent) privileges
on the corporate Active Directory to audit the environment's security.
 The IT team in charge of this environment doesn't want to grant that
level of privilege.  InfoSec then requested a 'read-only' equivalent to
everything in the Active Directory.  The IT team hasn't been able to
provide this.  So my questions...

1) Is there an easy mechanism to grant a security group 'domain admin
read only'?  This would need to cover all aspects of the Active
Directory, including all services, servers, any type of access
Domain/Enterprise  Admins would have, just not change anything.
(Exchange, SQL, File servers, the works)  I was told a product named
Active Roles might solve this, but it seems quite expensive and way
beyond the scope of what we need.  Is there anything besides creating a
new group and manually applying permissions for this group everywhere in
the environment?

2)  How does your company (assuming you have a seperate security team)
provide access to the InfoSec team to audit/secure AD? Do you give full
admin rights, or what have you guys come up with?

Thanks
Mike

------------------------------------------------------------------------
---
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has
designated Norwich University a center of Academic Excellence in
Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting
experience. 
Using interactive e-Learning technology, you can earn this esteemed
degree, without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Current thread:

'Read only' Admin privileges for Active Directory environment? Michael Gressick (Jun 27)
- RE: 'Read only' Admin privileges for Active Directory environment? Roger A. Grimes (Jun 28)
- Re: 'Read only' Admin privileges for Active Directory environment? Saqib Ali (Jun 28)
  - Re: 'Read only' Admin privileges for Active Directory environment? Michael Gressick (Jun 28)
- <Possible follow-ups>
- RE: 'Read only' Admin privileges for Active Directory environment? Eric Pinkerton (Jun 28)
- Re: 'Read only' Admin privileges for Active Directory environment? Saqib Ali (Jun 29)
  - Re: 'Read only' Admin privileges for Active Directory environment? Saqib Ali (Jun 29)
    - Re: 'Read only' Admin privileges for Active Directory environment? Ansgar -59cobalt- Wiechers (Jun 30)