Security Basics mailing list archives
RE: Restrict the Domain Admin
From: "Brian Loe" <knobdy () stjoelive com>
Date: Thu, 22 Sep 2005 14:17:13 -0500
I think the point is that there has to be at least ONE domain admin, you can't avoid it. You have to have root, and you have to have domain admins. What they log in as, under what IDs and with what privileges, is besides the point. Besides the simple fact that Microsoft doesn't, as far as I know, give you the option of applying every right to any user you choose.
-----Original Message----- From: Craig Wright [mailto:cwright () bdosyd com au] Sent: Tuesday, September 20, 2005 4:47 PM To: cc; security-basics () securityfocus com Subject: RE: Restrict the Domain Admin Have we heard of segregation of duties? I am sorry but I have NEVER seen a site with more than 1 IT person where domain admins are needed for all tasks. It is not about whether you trust the person - minimise the exposure. The trust argument is just a waste of time. Even when I was an admin - I always made sure that I did not have complete control without going through a change process where everything is logged and checked - just to cover my own ass if something happened Craig
Current thread:
- Re: Restrict the Domain Admin, (continued)
- Re: Restrict the Domain Admin Raoul Armfield (Sep 19)
- Re: Restrict the Domain Admin Pete Hunt (Sep 19)
- RE: Restrict the Domain Admin Brian Loe (Sep 19)
- Re: Restrict the Domain Admin cc (Sep 20)
- Re: Restrict the Domain Admin Cam Fischer (Sep 22)
- Re: Restrict the Domain Admin Glenn English (Sep 26)
- RE: Restrict the Domain Admin Brunner, Mark (Sep 19)
- RE: Restrict the Domain Admin Robert McIntyre (Sep 20)
- RE: Restrict the Domain Admin Craig Wright (Sep 22)
- RE: Restrict the Domain Admin Charles Otstot (Sep 26)
- RE: Restrict the Domain Admin Brian Loe (Sep 26)
- RE: Restrict the Domain Admin Depp, Dennis M. (Sep 22)
- RE: Restrict the Domain Admin Craig Wright (Sep 26)
- RE: Restrict the Domain Admin Craig Wright (Sep 26)
- Re: RE: Restrict the Domain Admin sf_mail_sbm (Sep 30)