Security Basics mailing list archives
Re: 'Read only' Admin privileges for Active Directory environment?
From: "Saqib Ali" <docbook.xml () gmail com>
Date: Tue, 27 Jun 2006 15:00:36 -0700
I don't see why your InfoSec team require Domain Admin rights to perform an Audit. Something is fishy. Usually large enterprises install auditing products like NetIQ, Quest, Enterprise Security Manager etc, and the reports from these tools are handed over to the InfoSec dept. On 6/27/06, Michael Gressick <mgressick () gmail com> wrote:
Hello, Our InfoSec team has requested Domain Admin (or equivalent) privileges on the corporate Active Directory to audit the environment's security. The IT team in charge of this environment doesn't want to grant that level of privilege. InfoSec then requested a 'read-only' equivalent to everything in the Active Directory. The IT team hasn't been able to provide this. So my questions... 1) Is there an easy mechanism to grant a security group 'domain admin read only'? This would need to cover all aspects of the Active Directory, including all services, servers, any type of access Domain/Enterprise Admins would have, just not change anything. (Exchange, SQL, File servers, the works) I was told a product named Active Roles might solve this, but it seems quite expensive and way beyond the scope of what we need. Is there anything besides creating a new group and manually applying permissions for this group everywhere in the environment? 2) How does your company (assuming you have a seperate security team) provide access to the InfoSec team to audit/secure AD? Do you give full admin rights, or what have you guys come up with? Thanks Mike --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
-- Saqib Ali, CISSP, ISSAP Support http://www.capital-punishment.net ----------- "I fear, if I rebel against my Lord, the retribution of an Awful Day (The Day of Resurrection)" Al-Quran 6:15 ----------- --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- 'Read only' Admin privileges for Active Directory environment? Michael Gressick (Jun 27)
- RE: 'Read only' Admin privileges for Active Directory environment? Roger A. Grimes (Jun 28)
- Re: 'Read only' Admin privileges for Active Directory environment? Saqib Ali (Jun 28)
- Re: 'Read only' Admin privileges for Active Directory environment? Michael Gressick (Jun 28)
- <Possible follow-ups>
- RE: 'Read only' Admin privileges for Active Directory environment? Eric Pinkerton (Jun 28)
- Re: 'Read only' Admin privileges for Active Directory environment? Saqib Ali (Jun 29)
- Re: 'Read only' Admin privileges for Active Directory environment? Saqib Ali (Jun 29)
- Re: 'Read only' Admin privileges for Active Directory environment? Ansgar -59cobalt- Wiechers (Jun 30)
- Re: 'Read only' Admin privileges for Active Directory environment? Saqib Ali (Jun 29)