Security Basics mailing list archives
RE: software to control domain administrators
From: "Andrew Shore" <andrew.shore () holistecs com>
Date: Mon, 9 May 2005 14:39:07 +0100
Sorry, I didn't really explain my point too well. Some of these tools allow you to give functionality to administrators without giving them Domain Admins account privileges. They also have tools for central log administration which will stop an Admin clearing the logs to cover his/her tracks. But as you point out these must be policed too. Cloak is not one of the utilities I was referring to; cloak simply hides shares from users if they have no right to access it. I would like to echo your point about trusting admins, however, in a 10,000+ user network senior admins have to delegate responsibility to others who may exceed there mandate. Andy -----Original Message----- From: LordInfidel [mailto:LordInfidel () directionweb com] Sent: 09 May 2005 14:27 To: Andrew Shore; Diego Teijeiro Ruiz; security-basics () securityfocus com Subject: RE: software to control domain administrators I have to disagree, after reading about their products, no where does it state that it can lock out domain admins, at least no where that I read.
From what I read the bulk of their products are central mgmt tools
designed to manage regular users, not the all powerful domain administrator. According to an faq on their site (from their cloak product): Q: Is the Administrator account ever restricted? A: No. Cloak will not filter the requests from any user that belongs to the local Administrators group on the host server. The LocalSystem account is also exempt. Cloak would not ever want to get in the way of your nightly tape backup operations (Domain Admins are automatically placed in the local admin group of every machine, both the desktop and server that is a member of that domain.) This is not to say it can't be done. You can, via NTFS permissions, remove the domain admin group from having full control thus removing them from the permissions of those objects. But nothing will stop them from re-adding themselves back in via their inherited power of "Take Ownership". This is where logging is very important and needs to be enabled, which I strongly advocate and the scriptlogic tool "Enterprise Security Reporter" does just that while reporting in a central location. But file permissions needs to be audited on a regular basis and analyzed. Just always keep in mind, Nothing is stopping a domain admin from resetting the password to an account that does have access and then logging on as that user and accessing the data. Or they can take a more hostile approach, not resetting the password and grabbing the lmhashes either off of the wire (LC4) or from the domains sam, then using off-line techniques, crack passwords of accounts that do have access to the files. Again, if you can't trust the person who is supposed to be managing your network, then they should not be put in that position. -----Original Message----- From: Andrew Shore [mailto:andrew.shore () holistecs com] Sent: Monday, May 09, 2005 3:48 AM To: LordInfidel; Diego Teijeiro Ruiz; security-basics () securityfocus com Subject: RE: software to control domain administrators Actually you can do it quite easily using some of the tools from script logic. www.scriptlogic.com " Domain admins by the very nature of the account type, have complete control over the domain, second to only enterprise admins. Nothing you install or do will prevent them from removing or modifying it. Even restricting them via NTFS permissions or GPO's does nothing since they can just take ownership and modify the permissions." Script logic has a tools which allows you to give admins restricted access to parts of the file systems which means they can assign users permissions etc but can not access this data themselves. HTH Andy -----Original Message----- From: LordInfidel () directionweb com [mailto:LordInfidel () directionweb com] Sent: 05 May 2005 23:02 To: Diego Teijeiro Ruiz; security-basics () securityfocus com Subject: RE: software to control domain administrators Probably a little late, been busy, but I did not see a response yet to this. (assuming we are talking about NT/AD Domain Admins) Honestly, if you are looking for something to audit domain admins, then you have bigger problems. Domain admins by the very nature of the account type, have complete control over the domain, second to only enterprise admins. Nothing you install or do will prevent them from removing or modifying it. Even restricting them via NTFS permissions or GPO's does nothing since they can just take ownership and modify the permissions. Keep in mind that spying on a domain admin can have catastrophic effects if they feel threatened by it since they can easily mess up an entire network. Basically, If you can not trust your domain admin(s), then they should probably not be a domain admin and removed from that position of trust. JMO -----Original Message----- From: Diego Teijeiro Ruiz [mailto:dteijeiro () azertia com] Sent: Thursday, April 28, 2005 5:51 AM To: security-basics () securityfocus com Subject: software to control domain administrators Does anyone know any software to control, audit, or restrict access or privileges to domain administrators. thnx in advance DTR ----------------------------------------------------------------------- Este mensaje y los documentos, que en su caso, lleve anexos, pueden contener informacion confidencial y atane exclusivamente a las personas a las que va dirigido. Cualquier opinion en el contenida, es exclusiva de su autor y no representa necesariamente la opinion de AZERTIA. Si usted no es el destinatario de este mensaje, considerese advertido de que lo ha recibido por error y que cualquier uso, difusion o copia estan prohibidos legalmente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique por la misma via o al telefono 93 207 55 11 y proceda a destruirlo inmediatamente. This email is confidential and intended solely for the use of the individual to whom it is addressed. Any views or opinions presented are solely those of the author and do not necessarily represent those of AZERTIA. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. If you have received this email in error please notify it to AZERTIA by telephone on number +34 93 207 55 11. -----------------------------------------------------------------------
Current thread:
- RE: software to control domain administrators LordInfidel (May 06)
- <Possible follow-ups>
- RE: software to control domain administrators LordInfidel (May 09)
- Re: software to control domain administrators Charles Fraser (May 09)
- RE: software to control domain administrators Andrew Shore (May 09)
- RE: software to control domain administrators LordInfidel (May 09)
- RE: software to control domain administrators Andrew Shore (May 09)
- RE: software to control domain administrators Beauford, Jason (May 09)
- RE: software to control domain administrators LordInfidel (May 09)
- RE: software to control domain administrators Keenan Smith (May 11)
- RE: software to control domain administrators Bundschuh, Anthony D (May 10)
- RE: software to control domain administrators Bundschuh, Anthony D (May 12)