Why are you removing the admins? based on what you wrote the computer network will probably turn into a massive mess with all these programs installed and users as admins..
On Dec 2, 2007 8:22 PM, <[EMAIL PROTECTED]> wrote: > On Sun, 02 Dec 2007 09:42:26 GMT, happy nino said: > > Hi All,i've a problem in my organization that we have several domain > admins, > > we are in the process of removing most of them but i need to have a > person > > only authorized to installnew software to users' computers but without > having > > access to other parts of the users machines, is this possible ? > > What exactly are you trying to accomplish, given that if they are allowed > to > install software, they are allowed to install software that will then at a > later point in time give them access to other parts of the machine? > There's no > "don't allow the installation of trojaned software" flag. Also, if you're > backing up the machines (you *do* back them up, right?), your admin can > probably just restore the files from backup into some other directory... > > Have you looked at using something like EFS or BitLocker *and turn off key > escrow* so the admin's keys don't work? Of course, this makes backups > "interesting", and if you have an Internal Audit group, they may have a > cow > about non-escrowed keys if they have a clue. > > It would probably be easier to answer this one if you were able to say > specifically what "other parts" you didn't want the admins to be getting > at, > and why you can't just use "if you abuse your privs, you're fired and > we're > calling the local DA" to keep them in line (this works for most places, > if you pay your admins a fair wage, but of course some particularly > high-value > targets invite high-risk attacks). > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- http://search.goldwatches.com/?Search=Movado+Watches http://www.jewelerslounge.com http://www.goldwatches.com
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
