> There is an inverse relationship between the number of admins and > the security of your network - the higher the number of admins, the > lower the security.
How long have I been saying this? At least as long as you have known me!!! Is it that you didn't listen because I never said inverse? My simple mechanism of saying this applies to everything with systems, just not security - the fewer the admins the better, if you exceed 3 you are asking for issues... For security it is probably more of an inverse square law function than just inversely proportional with number of admins being r and security being stretched and diluted across the surface area (A) growing by the square rule. Say your security constant for a given system at a given point in time is S and your true security is I then you are looking at an equation of something like I=9S/(r^2) (that is normalized to where any system with 3 admins is at its constant security level S which actually may be a little high, maybe it should be 4 instead of 9). You can add another piece to that equation if the admins don't all report to the same direct supervisor/manager or whatever other title you give to the direct person your analysts report to. That number of managers is M and the overall chains of command is c so you get I=9S/((M^c)*(r^2)). As an example of the last, say you have a system that has admins from the US and admins from Europe. At the very least, it is unlikely they will both report to the same direct manager. It is most likely from what I have seen, they will report to 2 managers in a different chains of command that eventually tie back together, but up several management levels. Those multiple managers and multiple chains of command without regard to the sheer number of admins makes your overall situation 1/4 as secure due to disagreements and infighting and different goals of different managers and management chains. Now add in some software that installs a service that runs as local system (i.e. more power than an admin account) and is managed by someone other than the "normal" admins and your M and c have increased again, this is especially evident with things like MOM or Tivoli or OVVM or anything else that monitors and has the ability to arbitrarily run code (scripts, etc) on a given machine. Assuming a realistically secure value of S, you would start with one admin and an I of 9S. Add 2 more on the same team and you are down to S. Add 6 more on the same team and you are down to S/9. Add a team of 5 more who manage monitoring agents running as localsystem who report through a different chain of command and you are now at S/((14^2)*(2^2)) or S/784. The thing is that management group, even without admin rights directly, who manages localsystem agent monitoring across all of the enterprise and all systems reduces overall security by at least (5^2 * 2^2) without consideration for the other admins already managing[1]. Anyway, the more admins you have for a given system, the less overall control you have of that system. You can have 1000 admins on a network, they just better not all be managing and have control over the same systems. The more admins on a system you have the more people modifying things and coming up with "cool" ideas or the more chance someone will leave a machines unlocked or get infected or the more likely you are to have generic admin type IDs and less chance you can figure out who did something if something bad happened. You will recall this was the number one debate I had with management when we worked together previously and you know how strongly I argued that point. They wanted more people to have rights, I wanted less. It had something to do with the quality of the admins, but it had a lot to do with the sheer number because once you exceed 3 or so I have found that the responsibility people feel tends to drop significantly and your overall danger grows considerably. I think it has something to do with the feeling of ownership. If you have 20 people who own something versus 3 people who own something, the 3 people will have a stronger sense of ownership and caring, IMO. If you have 3 crappy admins, you are still screwed. You will note the equation above says nothing about admin quality, just numbers and management chains. There are a lot of people running around who have admin IDs who aren't administrators. However, they tend to stick out more when there aren't a bunch of other people covering for them and can hopefully be removed. > And, Rick, thanks a bunch for your late-night assistance. I owe you one. And I don't even want to know what this is about... joe [1] That formula is completely made up (and having been written out like this automatically copyrighted) by me and represents how I personally view the impact of adding more admins and more management chains. While I think centralized monitoring is nice and all, I think it is generally configured in a way that is extremely destructive to overall environment security. When I ran ops for a forest, I would not allow monitoring to be added to the Domain Controllers I managed that was run by anyone other than our direct group. I fought that battle with multiple groups over the space of 5 years. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, March 21, 2005 9:36 PM To: [email protected] Subject: RE: [ActiveDir] Have fun at DEC I not only had fun at DEC, I learnt so many things. Aside from being around the usual suspects (Hi, Dean! Hi, Joe! Hi, Rick!), I got to meet Jorge, Hunter, Alain and a host of other people. Then I came away with 2 of the most eye-opening lessons to-date in my professional life: You can't cram a "security" discussion into a 75-minute presentation :) There is an inverse relationship between the number of admins and the security of your network - the higher the number of admins, the lower the security. Gil and the rest of the DEC crews are some of the most gracious hosts I have ever had the pleasure of being associated with - and I am grateful for the opportunity. And, Rick, thanks a bunch for your late-night assistance. I owe you one. Sincerely, D�j� Ak�m�l�f�, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of joe Sent: Mon 3/21/2005 5:42 PM To: [email protected] Subject: RE: [ActiveDir] Have fun at DEC Hey now, Dean and I actually weren't on the admin teams. We were wandering consultants. We initially had been under the understanding that it was a hacking session and we are under constraints about showing off tricks like that so we excused ourselves from the competition. Gil asked us just to walk around and check out what was going on. Once we realized it was a break-fix with users trying to take advantage of a poorly configured system Dean jumped in a little more but still didn't get to do what he wanted. Had we been on the admin team, the first thing we would have done is make it so no one could connect remotely to the DCs and secured them, then opened them up. That would have made the whole experiment go about 6 or so minutes with reboots as I saw no fancy hacking going on. You probably heard us up there saying, cut the users off at the knees, drop the services so you can secure. Secure environment #1, users getting access to resources #2. It was funny because as soon as Stuart (Kwan of the Ottawa Kwan Clan) walked up the first thing he was saying was screw the users, lock down as well. Dean spent most of his time pointing out how to fix broken things like DNS and replication and such as well as saying disable all of the users. I spent the time getting beers, explaining what tools were on the CD (did poorly at that as I didn't recognize many of them), correcting command line commands, and saying drop the network!!! The lab environment was set up pretty poorly as the VMs that were hosting the DCs were configured to auto-rollback changes so every time the systems rebooted, everything the admin team had done was rolled back. Also the person who set up the hosts neglected to set a password on the host so people could attack the host directly which I understand was outside the scope of the test. Dean had the perfect solution right up front... Dump users, groups, OU structures to LDIF files, demote the forest, repromote the forest, reimport the users/groups/structures. That would have cleared up nearly all of the screwups and wouldn't have left any openings for the users errr hackers unless they could get on the physical box which they couldn't do. It was extremely interesting though to see the various viewpoints. There was a rather stark line between many of the people where it was get the services running versus lock the environment down. I have no problem telling a user to go screw off if there is a security issue. Between fixing security and making users run I will almost always go to the side of security because if you don't have security, you can't guarantee the quality of the information in your system which is a poor place to be for an authentication system. Plus if it is insecure, you can't even guarantee the services very well. ;oP I wouldn't say anyone actually won the competition. That last part about the schema being messed up was Dean having fun. He pulled one of his tricks but didn't really let anyone see how he did it. It was just to show that yes, there are ways you can really hurt yourself bad or be hurt bad. Nothing in that test was anywhere near that level of danger. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Monday, March 21, 2005 7:45 PM To: [email protected] Subject: RE: [ActiveDir] Have fun at DEC Fun at DEC? Yeahh it was fun. It was also great to meat Gil, Guido, Dean, Joe, Rick and Deji in person. No chicken as I hoped for, but a t-shirt (that not even said "I went to DEC to get a rubber chicken but all I got was this lousy t-shirt") and we also got a bag. Gil was walking around with his bag that had a rope attached to it and the rubber chicken was hanging at the end of the rope. We all heart the rubber chicken "cry" (hee.. I would cry if I had a rope around my neck! ;-)) ) on monday during the "AD all night" session. By the way.. that session was also fun. It all started with 4 environments and each environment contained 1 forest and 1 domain with 2 DCs some wireless network stuff, an ADMINS team and a USERS team. In each environment security (whatever you could think of!!!) was really screwed! The admins (a complete team of people incl. Dean, Joe, Rick and Deji) had about 15 min. to correct all security screw-ups they could. After that the users came in and started working on the network using laptops with all kinds of hacking tools. We were supposed to wait 15 min. but we (I) didn't (hey a hacker doesn't wait until your network is safe and all security vulnerabilities are solved by you! So we didn't either). While the admins were searching and solving al vulnerabilities I already created two user accounts anonymously and added those to the adminstrators and domain admins groups. After we created the accounts we thought we should wait a bit so the admins had the chance to to some work. We also hoped they didn't find the accounts.... Crap that didn't work as we afterwards wan't to delete all kinds of things in AD to screw it up as bad as possible. The caveat was that if some admin found us screweing around and he could prove we did the damage the user got fired. If a user screwed up something and an admin did not prevent it the admin got fired. I still don't who did it, but after a while both DCs started rebooting and rebooting. The admins shut down the wireless network appliances so they couldn't be attacked. We as users started complaining about that we could do our work and that the SLA sucked..... ;-)) The DCs were not physically secured (hey that's also important!) and one of the users pulled the power plug of the DCs and those went down... The user was caught on the act and got fired. The admin that was responsible got demoted.... From admin to user! Hahaha. That wasn't also bad because that admin also knew all the passwords. As soon as we knew the password of the administrator account we tried again to screw it up. After a while everything was closed down to maximum security (at least I think it was as we were not able to do anything). Better yet the admins could do much either because the DC was so screwed it didn't even know it had a schema (or something like that). ;-)) Again: great session! Hope to attend again next year Cheers Jorge -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 18, 2005 09:15 To: [email protected] Subject: RE: [ActiveDir] Have fun at DEC At least I heard the chicken this year, I never had heard it. I was pretty well toasted at the time and thought a goose was running around the conference room. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert Sent: Saturday, March 12, 2005 11:20 AM To: [email protected] Subject: RE: [ActiveDir] Have fun at DEC I believe I am the proud owner of the last DEC chicken. Gil gave it to me at DEC in Ontario. Sure wish I could have made it to DEC this year. Dan > -------- Original Message -------- > Subject: RE: [ActiveDir] Have fun at DEC > From: "joe" <[EMAIL PROTECTED]> > Date: Fri, March 11, 2005 5:16 pm > To: [email protected] > > Unfortunately Gil doesn't do that anymore. He did the last chicken I > think 2 years back I think. I know for sure he didn't do one last year. > > He needs T-Shirts that say... > > I went to DEC to get a rubber chicken but all I got was this lousy t-shirt. > > > joe > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf > Sent: Friday, March 11, 2005 6:51 PM > To: [email protected] > Subject: [ActiveDir] Have fun at DEC > > For all you folks who are going to DEC, have a great time and good > luck getting the rubber chicken. > > Phil (re-subscribed with new address) > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
