Re: need help in managing administrators

[Valdis.Kletnieks () vt edu]

On Sun, 02 Dec 2007 09:42:26 GMT, happy nino said:
> Hi All,i've a problem in my organization that we have several domain admins,
> we are in the process of removing most of them but i need to have a person
> only authorized to installnew software to users' computers but without having
> access to other parts of the users machines, is this possible ?

What exactly are you trying to accomplish, given that if they are allowed to
install software, they are allowed to install software that will then at a
later point in time give them access to other parts of the machine?  There's no
"don't allow the installation of trojaned software" flag.  Also, if you're
backing up the machines (you *do* back them up, right?), your admin can
probably just restore the files from backup into some other directory...

Have you looked at using something like EFS or BitLocker *and turn off key
escrow* so the admin's keys don't work?  Of course, this makes backups
"interesting", and if you have an Internal Audit group, they may have a cow
about non-escrowed keys if they have a clue.

It would probably be easier to answer this one if you were able to say
specifically what "other parts" you didn't want the admins to be getting at,
and why you can't just use "if you abuse your privs, you're fired and we're
calling the local DA" to keep them in line (this works for most places,
if you pay your admins a fair wage, but of course some particularly high-value
targets invite high-risk attacks).

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/