Oh I completely agree with lack of change control. I can't
count the number of times I have asked companies what their change control
process is and they look at me and go huh? What do you mean, we go into
<insert tool name> and make the change.
Like you have quite a bit of main/mid frame experience and
even changes are handled differently (have I said recently I really miss working
on RSTS/E on PDP-11's?). Along with the change control is usually considerable
testing (both of the change and backout) and everything tends to get "scripted"
which is just the word for whatever batch type control mechanism is the standard
for the platform so things can be done in a very specific controlled fashion.
These things are also well outside the realm of the daily admin in the Windows
world. No one thinks twice (or sometimes even once) about deep
configuration changes because they are so easy to make.
My solution for the clicking on the wrong website or
reading the wrong email or whatnot is that DAs shouldn't be logging on
interactively with their DA IDs. They log into PCs with normal IDs and use
RUNAS/CPAU/Whatnot to create a process with an enhanced security context. And if
an Admin logs into a server, especially a domain controller, and starts
using the web or email or anything that can give access to untrusted code to run
they need to be smacked about and possibly fired. I am all for all Servers
having a default web page of a local file that comes up and says USE THE WEB
BROWSER NOW, TURN IN YOUR BADGE RIGHT AFTER.
I also have strong feelings about having few admins because
of the managerial structure that can spring up around larger groups. 3-5 people
can generally be all under the same supervisor, getting above that and the
chances of dotted-line hierarchies start creeping in and you can't have several
different people trying to manage how they think it should be managed. I have
experienced this first hand and it was a nightmare, I spent every morning trying
to unmake changes the European Admins made that they thought needed to be made
to make things work, undoubtedly the next morning for them they would undo what
I did or redo what they had done before because I was often having to correct
yet again. Finally I just kicked them out of the admin groups and kept them
kicked out and the environment stabilized. Had they done the same with me
something similar possibly would have happened but who knows, they had had a
long time in which to make things work well before I got there and when I came
in it still wasn't well. ;o) Only sort of joking there. :)
I think we are dancing around the same things. It is about
competent, controlled, selective, knowledgable admins and how many people who
are doing admin work that don't fit that description. :) It isn't entirely the
fault of the admins themselves, culture and the quality of people that companies
are willing to pay for play heavily into it. But yes, change control getting
implemented and STRICTLY followed can certainly help a great
deal.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Tuesday, August 01, 2006 4:10 PM
To: [email protected]
Subject: RE: [ActiveDir] Revoke domain administrator's right to create GPO?
Thanks Joe. Interestingly, I agree with what you're saying
here, but not for exactly the same reason. I happen to think that the
"badness" of having lots of over-privileged admins is not the accidental
stupidity (hmmm...is that an oxymoron?), although we know that happens. This
actually gets to the heart of what I think is wrong with how some Windows shops
are managed. When I worked in larger environments that had mainframes, there was
rigorous change control over absolutely every little thing that was done. So, no
matter how privileged an administrator was, nothing that they did went unseen,
untested and didn't come with a rock-solid back out plan. Enter the distributed
world of Windows and all bets are off. Having lots of domain admins is not a
problem, in and of itself, if you follow good change management practices,
because presumably none of those DAs would dare make a change for fear of having
their heads chopped off. But that is a cultural thing that does not exist in
most Windows shops. No, I think the bigger problem with having lots of
over-privileged admins is the same problem we have with organizations that make
all of their users admins on their local machines--that of over-privileged users
being targets for malware that take advantage of their privileges to do nasty
things. I'd be much less worried from a DA that accidentally deletes an OU than
I would be from a DA who accidentally clicks on that website that downloads
malicious code that is smart enough to take advantage of that user's DA status
to get at or modify corporate directory data that compromises security,
privacy or other critical business stuff. I have yet to see such a targeted
attack but I am guessing its only a matter of time.
So, yes, absolutely get rid of all those extra DAs, but not
just because they do stupid admin tricks, but also because they open up your AD
to all kinds of nasty attacks. And, while your at it, how about removing
administrator rights from all of your end users....
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, July 31, 2006 7:34 PM
To: [email protected]
Subject: RE: [ActiveDir] Revoke domain administrator's right to create GPO?
Yeah I know where you are coming from Darren but absolutely
can't say it is ok because I do not believe it is ok at all. I think saying it
is ok or that it is understandable will relax people about it and people
absolutely should not be relaxed about it or feel that they can't do anything
about it and that it isn't their responsibility to try and get corrected. It is
a very bad thing and they need to always have that spectre over them where they
know it. That helps, I think, in making it so it isn't a surprise when something
inevitably screws up and no one can sit there saying, wow, I had no idea it was
that bad of a thing. People need to be working towards locking down their
environment every moment and looking for bad things and removing them every
second. It is a long slow climb uphill but if the work isn't done, it will never
happen until maybe, hopefully not, something absolutely blows and everyone has
to jump and try to figure out how to do it in one fell
swoop.
I saw the same logic of "the people really don't know
what they can do"... used for running an Enterprise Data Center back in 1999 and
this was with hundreds of NT servers and many domains and application owners
were just given admin rights over all of these boxes and it was status quo; none
of the people had a clue what kind of rights they had and figured anything bad
they were actually protected from doing because it would be stupid to let them
be able to do something bad.... Everyone said it was fine and didn't cause
issues until I came in and started looking at it and got sick of running around
working on stupid preventable stuff so started making sure every issue was
reported and floated up. While it made me and my group look bad initially
because the availability of the servers appeared to have plummetted from where
it was before, it was only that it appeared that way because we actually
reported the problems where the previous folks hid everything under the carpet
and that slowly became apparent. It slowly gave us the permission to fix stupid
things that the previous group said was impossible to get changed. It was a lot
of hard work but by the end of it, things actually did run well and stable. I
know probably better than most the politics and the outright pain and difficulty
involved because I lived through 80 and 100+ hour weeks of it in a very high
pressure Fortune 5 environment where I had plant managers and VPs of
manufacturing who had no problem screaming at me but I also realize the huge
benefits you get out of that work and I think any admins who are serious about
doing a good job will keep it up and keep trying to fight the good fight.
In the long run, they will look better for it, the company will be better off,
and their lives, if they stick around for the benefits will be easier. Folks who
don't point out the bad things when they see them and push for better solutions
aren't doing any favors for their employers, they are taking the easy route and
it is counterproductive long term.
I don't do it so much for myself and the long term benefits
for me as I never seemed to stay in the positions to benefit for longer
than 3-4 years before I ran off and dived into another mess but instead do it
because I think that is what my job description as an Admin is. To do the
absolute best job I know how to do and work towards making the best environment
I can visualize. If luck is a component of the security model or the recovery
model or the admin model, I don't consider that to be very good and I know you
Darren don't either. You are just nicer than I am in saying it.
:)
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Monday, July 31, 2006 7:06 PM
To: [email protected]
Subject: RE: [ActiveDir] Revoke domain administrator's right to create GPO?
<not an argument for implementing bad security>I
think we all know how bad it is to have hoards of DAs. We also know that it is
the reality in many large and small orgs. and we also know that it is sometimes
unavoidable for purely non-technical reasons. The bottom line is that many of
those DAs probably don't know how to undo something that you take away from
them, so security by obscurity, while pretty awful, sometimes
actually works.
</not an argument for implementing bad
security>
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, July 31, 2006 1:58 PM
To: [email protected]
Subject: RE: [ActiveDir] Revoke domain administrator's right to create GPO?
Hehe. Wrong list for this kind of question. Put on a
helmet.
But... yes you can, for as long as the DAs decide to let it
be that way. They will have no issues switching it right back. You CANNOT
prevent DAs from doing anything they want in the domain or the forest. You can
try like like a duckling can try and put out the flames of a volcanoe with
the beating of his wings and you will be just as successful. There is no such
thing as Domain Administrator and Super Domain Administrator. Once you get even
administrator rights on a DC, you pretty much do what you want when you want. It
really doesn't even take that much but we will start there.
The answer you are looking for is to reduce the number of
DAs in the entire forest to 5 or less. You don't work for a large enough company
to actually qualify to use LOTS of Domain Administrators unless there are lots
of forests and only a few DAs in each. AD should be delegated or
provisioned, it shouldn't have a bunch of folks with native high level rights.
No this isn't impossible to do, some of us have done it in Fortune 5 companies
and of course also in smaller companies.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Wang
Sent: Monday, July 31, 2006 3:42 PM
To: [email protected]
Subject: [ActiveDir] Revoke domain administrator's right to create GPO?
I have a Group Policy delegation question. By default, only domain administrators, enterprise administrators, Group Policy Creator Owners, and the operating system can create new Group Policy objects. Since our company has lots of domain administrators, I'm thinking revoke domain administrators rights to create GPOs, then add only several of them to enterprise admin group / Group Policy Creator Owners. Is it possible?
Thanks in advance.
Andy
