|
Alex-
I think you've proved my point by saying, "having
local admin rights is definitely a bad thing as far as security is concerned".
:-). But of course you are pointing out the underlying dilemma that
administrators have faced while trying to create a least-privileged user
environment. Frankly, I agree with you. It is easier to grant local admin.
rights in some cases rather than trying to work around it. I have had to do that
myself in a past life. But I also managed to create and support an environment
for around 20,000 users (in NT 3.5 and 4.0 no less) that did not require
most users to have local admin rights. But it was not easy and it was not a
secure solution--it basically involved relaxing file system and registry
permissions as needed to allow specific apps to run. Yes the problem is
absolutely with how the OS and most applications are written--generally badly.
And yes, the problem becomes a lot less painful to manage with Vista and UAC.
But in the meantime, as the Internet has exposed the soft underbelly of an
all-admin environment, people continue to get worms and other malware that has a
serious effect on their business and its security. Frankly, I think that with
some of the recent advances in ISV solutions around this--with products that let
you selectively elevate privileges by application, that this problem can be
managed. But then of course, you do have to spend money on it!
Vista will provide an in-the-box solution that I suspect
many will find irritating, but effective.
Darren
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Alborzfard Sent: Wednesday, August 02, 2006 1:40 PM To: [email protected] Subject: RE: [ActiveDir] Revoke domain administrator's right to create GPO? >No, I think the bigger problem
with having lots of over-privileged admins is the same problem we have with
organizations that make all of their users admins on their local
>machines--that of over-privileged users being targets for malware that take
advantage of their privileges to do nasty things. >… And, while your at it, how about
removing administrator rights from all of your end
users.... I don’t agree with your
point regarding local admin rights. Yes I agree; having local admin rights is
definitely a bad thing as far as security is concerned, but I can speak from
experience that many times as much as I dreaded doing it, I had to give it to
users. The reason was users were simply not able to do their work. Runas, etc.
did not work or worked half of the time, and no matter how much time I spent,
the quickest and most simple solution was to just give them admin rights.
I tend to think most of
the problem lies with MSFT & Windows application developers for designing an
OS and writing code, which require “all or nothing” admin
privileges. Ironically most of
those users were application developers themselves! Alex From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Darren
Mar-Elia Thanks Joe.
Interestingly, I agree with what you're saying here, but not for
exactly the same reason. I happen to think that the "badness" of having
lots of over-privileged admins is not the accidental stupidity (hmmm...is that
an oxymoron?), although we know that happens. This actually gets to the heart of
what I think is wrong with how some Windows shops are managed. When I worked in
larger environments that had mainframes, there was rigorous change control over
absolutely every little thing that was done. So, no matter how privileged an
administrator was, nothing that they did went unseen, untested and didn't come
with a rock-solid back out plan. Enter the distributed world of Windows and all
bets are off. Having lots of domain admins is not a problem, in and of itself,
if you follow good change management practices, because presumably none of those
DAs would dare make a change for fear of having their heads chopped off. But
that is a cultural thing that does not exist in most Windows shops. No, I think
the bigger problem with having lots of over-privileged admins is the same
problem we have with organizations that make all of their users admins on their
local machines--that of over-privileged users being targets for malware that
take advantage of their privileges to do nasty things. I'd be much less worried
from a DA that accidentally deletes an OU than I would be from a DA who
accidentally clicks on that website that downloads malicious code that is smart
enough to take advantage of that user's DA status to get at or
modify corporate directory data that compromises security, privacy or other
critical business stuff. I have yet to see such a targeted attack but I am
guessing its only a matter of time. So, yes, absolutely get
rid of all those extra DAs, but not just because they do stupid admin tricks,
but also because they open up your AD to all kinds of nasty attacks. And, while
your at it, how about removing administrator rights from all of your end
users.... From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of joe Yeah I know where you
are coming from Darren but absolutely can't say it is ok because I do not
believe it is ok at all. I think saying it is ok or that it is understandable
will relax people about it and people absolutely should not be relaxed about it
or feel that they can't do anything about it and that it isn't their
responsibility to try and get corrected. It is a very bad thing and they need to
always have that spectre over them where they know it. That helps, I think, in
making it so it isn't a surprise when something inevitably screws up and no one
can sit there saying, wow, I had no idea it was that bad of a thing. People need
to be working towards locking down their environment every moment and looking
for bad things and removing them every second. It is a long slow climb uphill
but if the work isn't done, it will never happen until maybe, hopefully not,
something absolutely blows and everyone has to jump and try to figure out how to
do it in one fell swoop. I saw the same logic of
"the people really don't know what they can do"... used for running an
Enterprise Data Center back in 1999 and this was with hundreds of NT servers and
many domains and application owners were just given admin rights over all of
these boxes and it was status quo; none of the people had a clue what kind of
rights they had and figured anything bad they were actually protected from doing
because it would be stupid to let them be able to do something bad.... Everyone
said it was fine and didn't cause issues until I came in and started looking at
it and got sick of running around working on stupid preventable stuff so started
making sure every issue was reported and floated up. While it made me and my
group look bad initially because the availability of the servers appeared to
have plummetted from where it was before, it was only that it appeared that way
because we actually reported the problems where the previous folks hid
everything under the carpet and that slowly became apparent. It slowly gave us
the permission to fix stupid things that the previous group said was impossible
to get changed. It was a lot of hard work but by the end of it, things actually
did run well and stable. I know probably better than most the politics and the
outright pain and difficulty involved because I lived through 80 and 100+ hour
weeks of it in a very high pressure Fortune 5 environment where I had plant
managers and VPs of manufacturing who had no problem screaming at me but I also
realize the huge benefits you get out of that work and I think any admins who
are serious about doing a good job will keep it up and keep trying to fight
the good fight. In the long run, they will look better for it, the company will
be better off, and their lives, if they stick around for the benefits will be
easier. Folks who don't point out the bad things when they see them and push for
better solutions aren't doing any favors for their employers, they are taking
the easy route and it is counterproductive long
term. I don't do it so much
for myself and the long term benefits for me as I never seemed to stay
in the positions to benefit for longer than 3-4 years before I ran off and
dived into another mess but instead do it because I think that is what my job
description as an Admin is. To do the absolute best job I know how to do and
work towards making the best environment I can visualize. If luck is a component
of the security model or the recovery model or the admin model, I don't consider
that to be very good and I know you Darren don't either. You are just nicer than
I am in saying it. :)
joe -- O'Reilly Active
Directory Third Edition - http://www.joeware.net/win/ad3e.htm From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Darren
Mar-Elia <not an argument for
implementing bad security>I think we all know how bad it is to have hoards of
DAs. We also know that it is the reality in many large and small orgs. and we
also know that it is sometimes unavoidable for purely non-technical reasons. The
bottom line is that many of those DAs probably don't know how to undo something
that you take away from them, so security by obscurity, while pretty awful,
sometimes actually works. </not an argument
for implementing bad security> From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of joe Hehe. Wrong list for
this kind of question. Put on a helmet. But... yes you can, for
as long as the DAs decide to let it be that way. They will have no issues
switching it right back. You CANNOT prevent DAs from doing anything they want in
the domain or the forest. You can try like like a duckling can try and put
out the flames of a volcanoe with the beating of his wings and you will be just
as successful. There is no such thing as Domain Administrator and Super Domain
Administrator. Once you get even administrator rights on a DC, you pretty much
do what you want when you want. It really doesn't even take that much but we
will start there. The answer you are
looking for is to reduce the number of DAs in the entire forest to 5 or less.
You don't work for a large enough company to actually qualify to use LOTS of
Domain Administrators unless there are lots of forests and only a few DAs
in each. AD should be delegated or provisioned, it shouldn't have a bunch of
folks with native high level rights. No this isn't impossible to do, some of us
have done it in Fortune 5 companies and of course also in smaller companies.
joe -- O'Reilly Active
Directory Third Edition - http://www.joeware.net/win/ad3e.htm From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Andy Wang Hi, |
- RE: [ActiveDir] Revoke domain administrator's right to cre... Darren Mar-Elia
- RE: [ActiveDir] Revoke domain administrator's right t... joe
- RE: [ActiveDir] Revoke domain administrator's right t... Alex Alborzfard
- RE: [ActiveDir] Revoke domain administrator's rig... Darren Mar-Elia
