|
>No, I think the bigger problem with having lots of
over-privileged admins is the same problem we have with organizations that make
all of their users admins on their local >machines--that of over-privileged
users being targets for malware that take advantage of their privileges to do
nasty things. >… And, while your at it, how about
removing administrator rights from all of your end users.... I don’t agree with your point
regarding local admin rights. Yes I agree; having local admin rights is
definitely a bad thing as far as security is concerned, but I can speak from
experience that many times as much as I dreaded doing it, I had to give it to users.
The reason was users were simply not able to do their work. Runas, etc. did not
work or worked half of the time, and no matter how much time I spent, the quickest
and most simple solution was to just give them admin rights. I tend to think most of the problem lies
with MSFT & Windows application developers for designing an OS and writing
code, which require “all or nothing” admin privileges. Ironically most of those users were
application developers themselves! Alex From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Thanks Joe. Interestingly, I agree with
what you're saying here, but not for exactly the same reason. I happen to
think that the "badness" of having lots of over-privileged admins is
not the accidental stupidity (hmmm...is that an oxymoron?), although we know
that happens. This actually gets to the heart of what I think is wrong with how
some Windows shops are managed. When I worked in larger environments that had
mainframes, there was rigorous change control over absolutely every little
thing that was done. So, no matter how privileged an administrator was, nothing
that they did went unseen, untested and didn't come with a rock-solid back out
plan. Enter the distributed world of Windows and all bets are off. Having lots
of domain admins is not a problem, in and of itself, if you follow good change
management practices, because presumably none of those DAs would dare make a
change for fear of having their heads chopped off. But that is a cultural thing
that does not exist in most Windows shops. No, I think the bigger problem with
having lots of over-privileged admins is the same problem we have with
organizations that make all of their users admins on their local machines--that
of over-privileged users being targets for malware that take advantage of their
privileges to do nasty things. I'd be much less worried from a DA that
accidentally deletes an OU than I would be from a DA who accidentally clicks on
that website that downloads malicious code that is smart enough to take
advantage of that user's DA status to get at or modify corporate directory
data that compromises security, privacy or other critical business stuff. I
have yet to see such a targeted attack but I am guessing its only a matter of
time. So, yes, absolutely get rid of all those
extra DAs, but not just because they do stupid admin tricks, but also because
they open up your AD to all kinds of nasty attacks. And, while your at it, how
about removing administrator rights from all of your end users.... From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Yeah I know where you are coming from
Darren but absolutely can't say it is ok because I do not believe it is ok at
all. I think saying it is ok or that it is understandable will relax people
about it and people absolutely should not be relaxed about it or feel that they
can't do anything about it and that it isn't their responsibility to try and
get corrected. It is a very bad thing and they need to always have that spectre
over them where they know it. That helps, I think, in making it so it isn't a
surprise when something inevitably screws up and no one can sit there saying,
wow, I had no idea it was that bad of a thing. People need to be working
towards locking down their environment every moment and looking for bad things
and removing them every second. It is a long slow climb uphill but if the work
isn't done, it will never happen until maybe, hopefully not, something
absolutely blows and everyone has to jump and try to figure out how to do it in
one fell swoop. I saw the same logic of "the people
really don't know what they can do"... used for running an Enterprise Data
Center back in 1999 and this was with hundreds of NT servers and many domains
and application owners were just given admin rights over all of these boxes and
it was status quo; none of the people had a clue what kind of rights they had
and figured anything bad they were actually protected from doing because it
would be stupid to let them be able to do something bad.... Everyone said it
was fine and didn't cause issues until I came in and started looking at it and
got sick of running around working on stupid preventable stuff so started
making sure every issue was reported and floated up. While it made me and my
group look bad initially because the availability of the servers appeared to
have plummetted from where it was before, it was only that it appeared that way
because we actually reported the problems where the previous folks hid
everything under the carpet and that slowly became apparent. It slowly gave us
the permission to fix stupid things that the previous group said was impossible
to get changed. It was a lot of hard work but by the end of it, things actually
did run well and stable. I know probably better than most the politics and the
outright pain and difficulty involved because I lived through 80 and 100+ hour
weeks of it in a very high pressure Fortune 5 environment where I had plant
managers and VPs of manufacturing who had no problem screaming at me but I also
realize the huge benefits you get out of that work and I think any admins who
are serious about doing a good job will keep it up and keep trying to
fight the good fight. In the long run, they will look better for it, the
company will be better off, and their lives, if they stick around for the
benefits will be easier. Folks who don't point out the bad things when they see
them and push for better solutions aren't doing any favors for their employers,
they are taking the easy route and it is counterproductive long term. I don't do it so much for myself and the
long term benefits for me as I never seemed to stay in the positions to
benefit for longer than 3-4 years before I ran off and dived into another mess
but instead do it because I think that is what my job description as an Admin
is. To do the absolute best job I know how to do and work towards making the
best environment I can visualize. If luck is a component of the security model
or the recovery model or the admin model, I don't consider that to be very good
and I know you Darren don't either. You are just nicer than I am in saying it.
:) joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia <not an argument for implementing bad
security>I think we all know how bad it is to have hoards of DAs. We also
know that it is the reality in many large and small orgs. and we also know that
it is sometimes unavoidable for purely non-technical reasons. The bottom line
is that many of those DAs probably don't know how to undo something that you
take away from them, so security by obscurity, while pretty awful, sometimes
actually works. </not an argument for implementing bad
security> From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Hehe. Wrong list for this kind of
question. Put on a helmet. But... yes you can, for as long as the DAs
decide to let it be that way. They will have no issues switching it right back.
You CANNOT prevent DAs from doing anything they want in the domain or the
forest. You can try like like a duckling can try and put out the flames of
a volcanoe with the beating of his wings and you will be just as successful.
There is no such thing as Domain Administrator and Super Domain Administrator.
Once you get even administrator rights on a DC, you pretty much do what you
want when you want. It really doesn't even take that much but we will start
there. The answer you are looking for is to
reduce the number of DAs in the entire forest to 5 or less. You don't work for
a large enough company to actually qualify to use LOTS of Domain Administrators
unless there are lots of forests and only a few DAs in each. AD should be
delegated or provisioned, it shouldn't have a bunch of folks with native high
level rights. No this isn't impossible to do, some of us have done it in Fortune
5 companies and of course also in smaller companies. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Wang Hi, |
- RE: [ActiveDir] Revoke domain administrator's right to cre... Alex Alborzfard
- RE: [ActiveDir] Revoke domain administrator's right t... Darren Mar-Elia
