Re: Windows Domain Controllers: Risks involved

["Miller, Don C." <donm () UIDAHO EDU>]

To comment on my own comment...but this does not prevent them from reassigning the permissions but would make it so 
default rights do not allow them unsuspected access to the system.

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Miller, 
Don C.
Sent: Friday, March 13, 2009 11:14 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Windows Domain Controllers: Risks involved

A quick comment.  Domain Admins do not *necessarily* have access to all computers joined to the domain, this is just a 
default.  It is possible either per machine, or via group policy, to remove domain admins from the local computer 
administrators group.

Don

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of F.M. 
Taylor
Sent: Friday, March 13, 2009 5:41 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Windows Domain Controllers: Risks involved

On Friday 13 March 2009, Marmina Abdel Malek formed electrons in this pattern:
> Dear All,        I'm assessing the idea of implementing a campus wide
> domain controller to include faculty and staff computers, as well as
> student labs computers.
>
> I understand all the advantages of centralized management of all the campus
> computers, but I have some concerns that I would like to know how did you
> react to them:
>
> - Domain admins can access the files of any computer in the domain. How do
> you ensure the confidentiality and privacy of users and data?

Most Admins don't have the time or inclination to to go through the users 
files, as when they first discovered they could do this they also discovered 
that the users are boring.  Also there are ethical (and in some cases legal) 
standards that any admin worth getting paid should uphold.  
On the other hand the users should be made aware that all of the computers are 
in fact the property of the university and that they have no expectation of 
privacy.  Truly sensitive data should be encrypted.

> - In you implementations, do you include the computers of the top
> management?

Yes, but it is optional.  Their original machines are supplied that way, and 
most of them leave them in that configuration.  They have neither the time or 
inclination (or technical acumen) to admin their own workstations.

> - Do you give faculty and staff, high level access to install applications,
> or installation requests have be channeled to the domain admins?

No, requests for new applications are submitted to the domain admins.

> - Is there any tips, recommendations, or lessons learned on implementing a
> campus wide domain controller?

Our Unix administrators take the machines and immediately wipe them and 
install a Unix desktop.  They are the only group allowed to do this.  
Attempting to get a Unix admin to use a domain controlled windows workstation 
is like teaching a pig to dance, its a waste of your time and annoys the pig.

> Best Regards,
> Marmina Abdel-Malek
> IT Security Officer
> The American University in Cairo
> Tel : +202-2615-3561
> Fax: +202-2795-6746
> Email: marmina () aucegypt edu
> web: www.aucegypt.edu

Hope that helps.

-- 
......\\|//........^^^^^........)))((........%%%%%........,,,,,......
......(- -)........(o o)........(- o)........(0-0)........(* *)......     
+--ooO-(_)-Ooo--oo0-(_)-0oo--ooO-(_)-Ooo--oo0-(_)-0oo--ooO-(_)-Ooo--+
| F.M. (Mike) Taylor........'Recedite, plebes! Gero rem imperialem!'|
| 'Ecce potestas casei'..............GIAC GSEC & GCFW Certified.....|
| Desk: 765-494-1872.....................C: 765-409-8140............|
+-------------------------------------------------------------------+