Yes that should be scary. Did you guys change anything as a result?
-- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of matheesha weerasinghe Sent: Monday, March 13, 2006 5:31 AM To: [email protected] Subject: Re: [ActiveDir] Monitoring DC's No kidding. Here at my work place we once needed access to the enterprise admin password but the safe was not accessible as the building was damaged and not safe to enter. The chap remotely connected to the network and used IBM Director to reset the password of the root administrator account! I didnt know such a feature existed (I think the agent runs as local system), and he was only a domain admin of the child domain but hey that was scary! M@ On 10/03/06, joe <[EMAIL PROTECTED]> wrote: > The moment you put the Tivoli agent (or MOM or SMS or AV or whatever) > on a single DC, whomever admins the foreign application is now > effectively a domain/enterprise admin as well. Any attack vectors into > their monitoring servers, etc are now all vectors into the core of > your security for the Enterprise. Basically you could have the > greatest security practices in the world (barring this one) for your > DCs and then some bonehead move over on the monitoring platform > (because it isn't quite as critical to be secure, it is ONLY watching...) and bam you can be utterly compromised. > > joe > > > -- > O'Reilly Active Directory Third Edition - > http://www.joeware.net/win/ad3e.htm > > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
