|
Posted by Ondrej Sevecek on January 23, 2006, 5:43 am
Please log in for more thread options
Your SMS, MOM etc groups are no exception from the security point of view of
other "admin" user groups. Althouth you should be aware of their "unsecure"
nature, you cannot do anything with it. They are probably service admins,
but you can always dissect even their roles.
Mainly, you should be aware of the general fact that *ANY*thing an ordinary
USERS group cannot do allows the user to:
- either acquire another identity on the same security level as is his one
(but this is unsecure, because he can *be* anybody) or lower
- or acquire another identity even with other administrative rights (so that
means higher levels)
- and this all they either can do directly or indirectly
Examples:
Account Admins can directly reset passwords for other users, or they
just can create an account and then delete it again. It is direct identity
theft.
Print Operators can install printer drivers that are acutally .DLLs,
so this is code injection to other user's processes and so, indirect
identity theft (they must wait for the user to log on and print something).
Server Operators, although unable to directly modify AD, they just
install keylogger and acquire identity of other domain admins (indirect) or
they install and load a device driver so directly gaining Local System
rights that could lead to direct AD modification.
Network Configuration Operators can change default gateways so they
can redirect all requests to their own "proxies"
Anybody with physical access to a computer can install a hardware
keylogger or reboot to other OS and reset admin's password. Indirect and
also direct identity theft.
So, they are *ALL ADMINS* without a protection and you *cannot* be safe from
anybody who is not only USERS member (or with the same privilege level)
The only thing is to log everything, make them sign statements, backup logs
and then check them for intrusions.
O.
> Hello,
>
> When building a delegation model Microsoft recommends to clearly
> separate Service Admins and Data Admins. The Service Admins are
> responsible for controlling the directory structure, services and
> security. The Data Admins are responsible for some objects in their
> limited delegated containers and other related resources.
>
> That is a perfect suggestion.
>
> But in real life there are some serious problems with this separation
> model.
> In a typical Wintel company there are more components involved:
>
> SMS (Clients running on DCs)
> MOM (Clients running on DCs)
> RIS (Images for domain controllers)
> SAN (DCs have their disks on SAN)
> VmWare (some DCs are virtualized)
> Backup (backup servers take copies of domain controllers)
>
> In one or another way the administrators of all these components have
> access to domain controller data and can escalate their privileges up
> to Domain Admins or affect security of the controllers in another
> manner.
>
> Who are these administrators? Are they Service Admins or Data Admins?
>
> I see 2 solutions for this problem but neither is perfect.
>
> 1. Give all the administrative tasks (SMS+MOM+SAN+ ...) to Domain
> Admins. That will keep all the security control in one hands but will
> end up with overloaded broad-profile AD admins.
>
> 2. Delegate the tasks, like SMS or MOM management, to higly trusted
> individuals. That will spread the security control over a group of
> people but diminish the load on AD admins.
>
> What would you recommend?
>
| 
XML Sitemap