RE: software to control domain administrators

["Andrew Shore" <andrew.shore () holistecs com>]

Sorry, I didn't really explain my point too well.

Some of these tools allow you to give functionality to administrators
without giving them Domain Admins account privileges.

They also have tools for central log administration which will stop an
Admin clearing the logs to cover his/her tracks. But as you point out
these must be policed too.

Cloak is not one of the utilities I was referring to; cloak simply hides
shares from users if they have no right to access it.

I would like to echo your point about trusting admins, however, in a
10,000+ user network senior admins have to delegate responsibility to
others who may exceed there mandate.

Andy 


-----Original Message-----
From: LordInfidel [mailto:LordInfidel () directionweb com] 
Sent: 09 May 2005 14:27
To: Andrew Shore; Diego Teijeiro Ruiz; security-basics () securityfocus com
Subject: RE: software to control domain administrators

I have to disagree, after reading about their products, no where does it
state that it can lock out domain admins, at least no where that I read.
> From what I read the bulk of their products are central mgmt tools
designed to manage regular users, not the all powerful domain
administrator.

According to an faq on their site (from their cloak product):

Q: Is the Administrator account ever restricted? 
A: No. Cloak will not filter the requests from any user that belongs to
the local Administrators group on the host server. The LocalSystem
account is also exempt. Cloak would not ever want to get in the way of
your nightly tape backup operations

(Domain Admins are automatically placed in the local admin group of
every machine, both the desktop and server that is a member of that
domain.)

This is not to say it can't be done.  You can, via NTFS permissions,
remove the domain admin group from having full control thus removing
them from the permissions of those objects.  But nothing will stop them
from re-adding themselves back in via their inherited power of "Take
Ownership".  

This is where logging is very important and needs to be enabled, which I
strongly advocate and the scriptlogic tool "Enterprise Security
Reporter" does just that while reporting in a central location.  But
file permissions needs to be audited on a regular basis and analyzed.

Just always keep in mind, Nothing is stopping a domain admin from
resetting the password to an account that does have access and then
logging on as that user and accessing the data.  Or they can take a more
hostile approach, not resetting the password and grabbing the lmhashes
either off of the wire (LC4) or from the domains sam, then using
off-line techniques, crack passwords of accounts that do have access to
the files.

Again, if you can't trust the person who is supposed to be managing your
network, then they should not be put in that position.

-----Original Message-----
From: Andrew Shore [mailto:andrew.shore () holistecs com] 
Sent: Monday, May 09, 2005 3:48 AM
To: LordInfidel; Diego Teijeiro Ruiz; security-basics () securityfocus com
Subject: RE: software to control domain administrators

Actually you can do it quite easily using some of the tools from script
logic.

www.scriptlogic.com

" Domain admins by the very nature of the account type, have complete
control over the domain, second to only enterprise admins.   Nothing you
install or do will prevent them from removing or modifying it.  Even
restricting them via NTFS permissions or GPO's does nothing since they
can just take ownership and modify the permissions."

Script logic has a tools which allows you to give admins restricted
access to parts of the file systems which means they can assign users
permissions etc but can not access this data themselves.

HTH

Andy

-----Original Message-----
From: LordInfidel () directionweb com [mailto:LordInfidel () directionweb com]

Sent: 05 May 2005 23:02
To: Diego Teijeiro Ruiz; security-basics () securityfocus com
Subject: RE: software to control domain administrators

Probably a little late, been busy, but I did not see a response yet to
this.

(assuming we are talking about NT/AD Domain Admins)

Honestly, if you are looking for something to audit domain admins, then
you have bigger problems.

Domain admins by the very nature of the account type, have complete
control over the domain, second to only enterprise admins.   Nothing you
install or do will prevent them from removing or modifying it.  Even
restricting them via NTFS permissions or GPO's does nothing since they
can just take ownership and modify the permissions.

Keep in mind that spying on a domain admin can have catastrophic effects
if they feel threatened by it since they can easily mess up an entire
network.

Basically, If you can not trust your domain admin(s), then they should
probably not be a domain admin and removed from that position of trust.

JMO

-----Original Message-----
From: Diego Teijeiro Ruiz [mailto:dteijeiro () azertia com] 
Sent: Thursday, April 28, 2005 5:51 AM
To: security-basics () securityfocus com
Subject: software to control domain administrators


Does anyone know any software to control, audit, or restrict access or
privileges to domain administrators. 

thnx in advance


DTR



-----------------------------------------------------------------------
Este mensaje y los documentos, que en su caso, lleve anexos, pueden
contener informacion confidencial y atane exclusivamente a las personas
a las que va dirigido. Cualquier opinion en el contenida, es exclusiva
de su autor y no representa necesariamente la opinion de AZERTIA. Si
usted no es el destinatario de este mensaje, considerese advertido de
que lo ha recibido por error y que cualquier uso, difusion o copia estan
prohibidos legalmente. Si ha recibido este mensaje por error, le rogamos
que nos lo comunique por la misma via o al telefono 93 207 55 11 y
proceda a destruirlo inmediatamente.

This email is confidential and intended solely for the use of the
individual to whom it is addressed. Any views or opinions presented are
solely those of the author and do not necessarily represent those of
AZERTIA. If you are not the intended recipient, be advised that you have
received this email in error and that any use, dissemination,
forwarding, printing, or copying of this email is strictly prohibited.
If you have received this email in error please notify it to AZERTIA by
telephone on number +34 93 207 55 11.
-----------------------------------------------------------------------