Security Basics mailing list archives
Re: 'Read only' Admin privileges for Active Directory environment?
From: "Saqib Ali" <docbook.xml () gmail com>
Date: Wed, 28 Jun 2006 21:31:36 -0700
So you don't trust your own InfoSec team. They should have more rights than anyone generally.
Where is < Principle of Least Privelege & Seperation of Duty > in this scheme?
I need those rights to access the logs and other items to investigate the it staff, it's actions, unauthorized changes to ad, run various tools that require domain admin to extract data (I don't like generic accounts with domain admin because now I have no idea who ran it),
I think this is a bad practice. InfoSec should not have administration rights on regular basis. They should only have access to the Automated Audit Log generated. However for investigation purposes they may be given admin access on "replica" of the system, and not the real production system. -- Saqib Ali, CISSP, ISSAP Support http://www.capital-punishment.net ----------- "I fear, if I rebel against my Lord, the retribution of an Awful Day (The Day of Resurrection)" Al-Quran 6:15 ----------- --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- 'Read only' Admin privileges for Active Directory environment? Michael Gressick (Jun 27)
- RE: 'Read only' Admin privileges for Active Directory environment? Roger A. Grimes (Jun 28)
- Re: 'Read only' Admin privileges for Active Directory environment? Saqib Ali (Jun 28)
- Re: 'Read only' Admin privileges for Active Directory environment? Michael Gressick (Jun 28)
- <Possible follow-ups>
- RE: 'Read only' Admin privileges for Active Directory environment? Eric Pinkerton (Jun 28)
- Re: 'Read only' Admin privileges for Active Directory environment? Saqib Ali (Jun 29)
- Re: 'Read only' Admin privileges for Active Directory environment? Saqib Ali (Jun 29)
- Re: 'Read only' Admin privileges for Active Directory environment? Ansgar -59cobalt- Wiechers (Jun 30)
- Re: 'Read only' Admin privileges for Active Directory environment? Saqib Ali (Jun 29)