|
But joe – My point is simply: If you can’t trust them to be DA’s
but you can’t get rid of them, delegate them permissions to do just what
they need to do for their true function in the company. As I said –
I believe strongly that most DA’s and practically all EA’s are
over-permissioned. They don’t need that much
power. Only rarely, so why give them that much? If you can’t
take control of objects, you can’t grant yourself permissions. Role-based security through delegated
groups is the paradigm. How to get there – that’s the hard
part. -rtk From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Hey Rick, I didn't say how it should be
done below, specifically I didn't say fire anyone. I just indicated he couldn't
do what he wanted to do and other things that he has to avoid if he wants to
avoid that same issue. Actually I agree with what you recommended in your
previous post about spinning up role specific groups and delegated
permissions. The answer is really simple in all worlds,
mine, the perfect one, and the real one. Either you don't give people those
rights or if you can't go that route, you MUST realize and understand you
can't lock it down. No amount of doing anything will ever get you to the point
where you can block a determined and knowledgeable admin or someone who is in a
position to grant that to themselves. Period. One of the biggest security issues I see
anywhere is the assumption that things are safe due to people not understanding
the basic mechanics of Windows security. Because one person doesn't know how to
compromise a system or do something doesn't mean someone else doesn't,
that goes for you, me, Dean, or even your best MS Internal Security experts.
You can never prove a system safe, only unsafe. The straight up answer to any question of
how do I block a DA from doing x in the directory is always, YOU CAN'T. At that
point you make the decision of not granting the rights, granting the rights and
putting a bunch of procedures in place that make you think (or maybe you don't
but the infosec people do) it is safe to assuage yourself or a
clueless information security group[1], grant the rights and putting a
bunch of auditing around it, granting the rights and forcing yourself to trust
the person who you have given a gun. Once you understand you can't block DA's
from doing anything they want, EVER, you have to start to understand who can
get DA. The easiest is obviously anyone with admin rights on a DC. But anyone
who can manipulate services, drivers (even print drivers if the server executes
them) or any other system files, schedule AT jobs, can get local interactive
logon (this will depend on what vulns are currently available and not patched
on the DC or what files you can get placed where - lots of stupid admins you
can take advantage of), or anyone with physical access to the DC. The last thing we as a group should ever
say to anyone is that you can make an environment safe from Admins. We can't,
others can't. People need to understand that. Once people get over that
thought, then they are better prepared to come up with the solution that has
the consessions necessary to work. If a company doesn't have a very small
group of people that it can safely trust with its crown jewel of base security
(auth and authorization at least) then it has to concede that it has to give
permissions to people they can't trust and need the appropriate compensating
measures dependent on how much the company really cares whether or not the
person does something bad. joe [1] Being paranoid doesn't make you a good
security person, though it is a good start. Many security people I have met are
more paranoid than technical. Their technical knowledge is limited to
understanding how to use the the available security tools, not necessarily the
concepts and the guts behind them. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan joe – Great answer in a perfect world.
Great answer in the joe-run world. I’d like to do the same, but
it’s kind of funny that the guys I can’t really trust, the company
still employs because I can’t get evidence that is going to get them
fired to the degree in which HR is not going to spend the next 30 years in a
court room over false termination. If Rick Neuheisal can get $4.7 Million
for being fired as a coach because he violated NCAA rules, I’m sure that
the morons that I have to employ can make our life tough by being stupid on our
network. I can’t move them off to other
functions. Why? If I can’t fire them, I can’t replace
them. Management (upper) is kind of funny that way in the world that I
live in. The best that I can hope to do is to remove rights to the point
that if they piss themselves, it’s just their own mess – no one
elses. I suspect Mr. Lunsford is much more like
me. He’s in an environment where he has to employ people that
aren’t as good as we’d like them to be. Or, maybe even as
trustworthy as we’d like. So, that means that we:
Usually, the advice that “You
can’t do that” isn’t realistic. -rtk From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe You can't. Period. Solution: Don't give these people who are
untrustworthy administrator or any native group access and don't let them log
on interactively to your DCs or allow them to modify the file systems nor
registry nor services. Summary: You can't. Period. joe From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
|
- RE: [ActiveDir] Problem: Limit Domain Admi... joe
- RE: [ActiveDir] Problem: Limit Domain... Rick Kingslan
- Re: [ActiveDir] Problem: Limit Domain... Jeremy Palenchar
- RE: [ActiveDir] Problem: Limit Domain... Thijssen, Andries \(Cognizant\)
