RE: Restrict the Domain Admin

["Brian Loe" <knobdy () stjoelive com>]

I think the point is that there has to be at least ONE domain admin, you
can't avoid it. You have to have root, and you have to have domain admins.
What they log in as, under what IDs and with what privileges, is besides the
point.

Besides the simple fact that Microsoft doesn't, as far as I know, give you
the option of applying every right to any user you choose. 

> -----Original Message-----
> From: Craig Wright [mailto:cwright () bdosyd com au] 
> Sent: Tuesday, September 20, 2005 4:47 PM
> To: cc; security-basics () securityfocus com
> Subject: RE: Restrict the Domain Admin
>
> Have we heard of segregation of duties?
>
> I am sorry but I have NEVER seen a site with more than 1 IT 
> person where domain admins are needed for all tasks. It is 
> not about whether you trust the person - minimise the 
> exposure. The trust argument is just a waste of time.
>
> Even when I was an admin - I always made sure that I did not 
> have complete control without going through a change process 
> where everything is logged and checked - just to cover my own 
> ass if something happened
>
> Craig