|
A
place I used to work only the CFO had the domain password for the
finance domain, but they still had the junior admin changing the backup tapes.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 10 March 2005 18:11 To: [email protected] Subject: RE: [ActiveDir] Problem: Limit Domain Admins and Administrators I understand. That works great for the directory itself -
most of the time, things around GPOs could still bite you I expect even things
around SPNs could possibly bite you.
When it comes to the domain controllers, just about
anything you try to do to cover for not wanting to give DA will be implemented
in a way that allows an informed person to take DA anyway. The moment you give
someone the rights to install software or modify services or modify the file
system or even log on locally on a Domain Controller you better be at the point
of trusting them to be a DA at least.
joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Wednesday, March 09, 2005 9:06 PM To: [email protected] Subject: RE: [ActiveDir] Problem: Limit Domain Admins and Administrators But joe – My point is
simply: If you can’t trust them
to be DA’s but you can’t get rid of them, delegate them permissions to do just
what they need to do for their true function in the company. As I said – I
believe strongly that most DA’s and practically all EA’s are
over-permissioned. They don’t need that
much power. Only rarely, so why give them that much? If you can’t
take control of objects, you can’t grant yourself
permissions. Role-based security
through delegated groups is the paradigm. How to get there – that’s the
hard part. -rtk From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of joe Hey Rick, I didn't say
how it should be done below, specifically I didn't say fire anyone. I just
indicated he couldn't do what he wanted to do and other things that he has to
avoid if he wants to avoid that same issue. Actually I agree with what you
recommended in your previous post about spinning up role specific groups
and delegated permissions. The answer is really
simple in all worlds, mine, the perfect one, and the real one. Either you don't
give people those rights or if you can't go that route, you MUST realize
and understand you can't lock it down. No amount of doing anything will ever get
you to the point where you can block a determined and knowledgeable admin or
someone who is in a position to grant that to themselves. Period.
One of the biggest
security issues I see anywhere is the assumption that things are safe due to
people not understanding the basic mechanics of Windows security. Because one
person doesn't know how to compromise a system or do something doesn't mean
someone else doesn't, that goes for you, me, Dean, or even your best MS Internal
Security experts. You can never prove a system safe, only
unsafe. The straight up answer
to any question of how do I block a DA from doing x in the directory is always,
YOU CAN'T. At that point you make the decision of not granting the rights,
granting the rights and putting a bunch of procedures in place that make you
think (or maybe you don't but the infosec people do) it is safe to assuage
yourself or a clueless information security group[1], grant the
rights and putting a bunch of auditing around it, granting the rights and
forcing yourself to trust the person who you have given a
gun. Once you understand you
can't block DA's from doing anything they want, EVER, you have to start to
understand who can get DA. The easiest is obviously anyone with admin rights on
a DC. But anyone who can manipulate services, drivers (even print drivers if the
server executes them) or any other system files, schedule AT jobs, can get local
interactive logon (this will depend on what vulns are currently available and
not patched on the DC or what files you can get placed where - lots of stupid
admins you can take advantage of), or anyone with physical access to the
DC. The last thing we as a
group should ever say to anyone is that you can make an environment safe from
Admins. We can't, others can't. People need to understand that. Once people get
over that thought, then they are better prepared to come up with the solution
that has the consessions necessary to work. If a company doesn't have a
very small group of people that it can safely trust with its crown jewel of base
security (auth and authorization at least) then it has to concede that it has to
give permissions to people they can't trust and need the appropriate
compensating measures dependent on how much the company really cares whether or
not the person does something bad.
joe [1] Being paranoid
doesn't make you a good security person, though it is a good start. Many
security people I have met are more paranoid than technical. Their technical
knowledge is limited to understanding how to use the the available security
tools, not necessarily the concepts and the guts behind them.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Rick
Kingslan joe
– Great answer in a
perfect world. Great answer in the joe-run world. I’d like to do the
same, but it’s kind of funny that the guys I can’t really trust, the company
still employs because I can’t get evidence that is going to get them fired to
the degree in which HR is not going to spend the next 30 years in a court room
over false termination. If Rick Neuheisal can get $4.7 Million for being
fired as a coach because he violated NCAA rules, I’m sure that the morons that I
have to employ can make our life tough by being stupid on our
network. I can’t move them off
to other functions. Why? If I can’t fire them, I can’t replace
them. Management (upper) is kind of funny that way in the world that I
live in. The best that I can hope to do is to remove rights to the point
that if they piss themselves, it’s just their own mess – no one
elses. I suspect Mr. Lunsford
is much more like me. He’s in an environment where he has to employ people
that aren’t as good as we’d like them to be. Or, maybe even as trustworthy
as we’d like. So, that means that we:
Usually, the advice
that “You can’t do that” isn’t realistic. -rtk From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of joe You can't.
Period. Solution: Don't give
these people who are untrustworthy administrator or any native group access and
don't let them log on interactively to your DCs or allow them to modify the file
systems nor registry nor services. Summary: You can't.
Period.
joe From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of
[EMAIL PROTECTED]
|
RE: [ActiveDir] Problem: Limit Domain Admins and Administrators
Thijssen, Andries \(Cognizant\) Fri, 11 Mar 2005 06:38:56 -0800
Title: Message
