Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Restrict the Domain Admin

from [Depp, Dennis M.] Network Security [Permanent Link]
Subject: RE: Restrict the Domain Admin
Date: Thu, 22 Sep 2005 11:41:05 -0400 
Hey Craig, 

Aren't these proceedural controls and not technical?  Were you able to
use Domain admin privs without these controls, or did this process
somehow grant you domain admin access.  I suspect it is the former and
not the latter.  Somebody has to be the holder of the keys, i.e. the
Domain Admin password.  If that is not you, then someone else must have
had this password and given it to you when you needed it.  If you
already had the rights, then you could have used these privs with out
signing the proper paperwork.  True you can have auditing turned on to
determine when someone uses their domain credentials, but this would
only identify the credentials were used and not stop them from using
them.

Dennis 

-----Original Message-----
From: Craig Wright [mailto:cwright@bdosyd.com.au] 
Sent: Tuesday, September 20, 2005 5:47 PM
To: cc; security-basics@securityfocus.com
Subject: RE: Restrict the Domain Admin

Have we heard of segregation of duties?

I am sorry but I have NEVER seen a site with more than 1 IT person where
domain admins are needed for all tasks. It is not about whether you
trust the person - minimise the exposure. The trust argument is just a
waste of time.

Even when I was an admin - I always made sure that I did not have
complete control without going through a change process where everything
is logged and checked - just to cover my own ass if something happened

Craig

PS
Lets hope that you never have me doing a SOX, SAS70 or other audit of
your site

-----Original Message-----
From: cc [mailto:cc@belfordhk.com] 
Sent: 20 September 2005 4:56
To: security-basics@securityfocus.com
Subject: Re: Restrict the Domain Admin

sf_mail_sbm@yahoo.com sighed and wrote::


Hi List,
Is there a way to restrict access of a Domain Admin?


Here's my $0.02.

By restricting the access of a domain admin, you've already defeated the
purpose of a domain admin.  The main point of the matter is that in
order for one person to be a domain admin, you must have extraordinary
(or maybe just special) trust in both the person's ability and their
standards of
operating procedures.   By restricting access to the domain
admin, you are in essence saying, "Here's the domain access, but we
don't trust you enough to give you the full 9 yards so we're restricting
your access to these privileges."

If you don't have 100% confidence in either the person's ability or
their ethics, you really shouldn't be giving the person that much access
to begin with.

As some other poster (Mr. Armfield) mentioned here, eventually you'll
need a person who has access to the whole nine yards.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Checkpoint Fw1 syslog logging. Any solution ?, contrera
Next by Date:  RE: Online quiz for CISSP (new material), Scott Schappert
Previous by Thread:  RE: Restrict the Domain Admin, Brian Loe
Next by Thread:  RE: Restrict the Domain Admin, Craig Wright
Indexes:  [Date] [Thread] [Top] [All Lists]