Domain administrator's can be denied permission to a
specific machine or a set of specific machines,
basically your question itself has the answer. Domain
admins have superuser access to member's by default,
but it can be configured.
These are probably the steps that will have to be done
on the member computer,
1) Deny network access to domain admins (Local
security policy)
2) Remove Domain admins' from local administrator
group.
3) Set appropriate NTFS persmissions on all
drives/folders.
4) Reconfigure "Bypass traverse checking", explicitly
deny domain admins.
5) Deny log on locally permissions to everyone else
other than the responsible person.
Plus a few mote things like, who's allowed to shutdown
the box, setting BIOS passwords, denying floppy/CD-ROM
access and so on.
This could be defined as a template, so that it's easy
to apply it on multiple computers.
By default, Windows may not be secure, but it can be
configured to keep most but very dedicated hackers
out. Also remove all unwanted services, remove
unwanted shares, turn on security auditing etc.
Basically all standard hardening steps.
I'm not aware of this being done in my organization,
but that has to do with the very low security
awareness at the executive, administrative and all
levels I guess.
Thanks,
Randhir V.
--- Michael Cox <mscox42 (at) yahoo (dot) com [email concealed]> wrote:
> I'd like to solicit the group's input on the
> following.
>
> Domain administrators, by definition, are going to
> have complete access to member computers.
>
> Is anyone doing anything to mitigate the potential
> risks involved with access to, say, an executive's
> computer which could have very sensitive data on it
> (mergers and acquisitions, for example)?
>
> One obvious answer is encryption, but I'm curious
> what
> is available in the Windows world as I'm not as
> familiar with that.
>
> Even if something like object level auditing was
> enabled and the logs sent to a remote host, couldn't
> the admin, as a first step, disable this logging?
>
> Please answer both 1) what is possible, and 2) what
> is
> your organization or other organizations you know of
> doing about this (if anything).
>
> Many thanks in advance!
>
> Michael
>
> __________________________________
> Do you Yahoo!?
> Yahoo! SiteBuilder - Free web site building tool.
> Try it!
> http://webhosting.yahoo.com/ps/sb/
>
>
------------------------------------------------------------------------
---
>
------------------------------------------------------------------------
---
>
=====
"If you can imagine it, you can achieve it; if you can dream it, you can become it."
(William Arthur Ward)
specific machine or a set of specific machines,
basically your question itself has the answer. Domain
admins have superuser access to member's by default,
but it can be configured.
These are probably the steps that will have to be done
on the member computer,
1) Deny network access to domain admins (Local
security policy)
2) Remove Domain admins' from local administrator
group.
3) Set appropriate NTFS persmissions on all
drives/folders.
4) Reconfigure "Bypass traverse checking", explicitly
deny domain admins.
5) Deny log on locally permissions to everyone else
other than the responsible person.
Plus a few mote things like, who's allowed to shutdown
the box, setting BIOS passwords, denying floppy/CD-ROM
access and so on.
This could be defined as a template, so that it's easy
to apply it on multiple computers.
By default, Windows may not be secure, but it can be
configured to keep most but very dedicated hackers
out. Also remove all unwanted services, remove
unwanted shares, turn on security auditing etc.
Basically all standard hardening steps.
I'm not aware of this being done in my organization,
but that has to do with the very low security
awareness at the executive, administrative and all
levels I guess.
Thanks,
Randhir V.
--- Michael Cox <mscox42 (at) yahoo (dot) com [email concealed]> wrote:
> I'd like to solicit the group's input on the
> following.
>
> Domain administrators, by definition, are going to
> have complete access to member computers.
>
> Is anyone doing anything to mitigate the potential
> risks involved with access to, say, an executive's
> computer which could have very sensitive data on it
> (mergers and acquisitions, for example)?
>
> One obvious answer is encryption, but I'm curious
> what
> is available in the Windows world as I'm not as
> familiar with that.
>
> Even if something like object level auditing was
> enabled and the logs sent to a remote host, couldn't
> the admin, as a first step, disable this logging?
>
> Please answer both 1) what is possible, and 2) what
> is
> your organization or other organizations you know of
> doing about this (if anything).
>
> Many thanks in advance!
>
> Michael
>
> __________________________________
> Do you Yahoo!?
> Yahoo! SiteBuilder - Free web site building tool.
> Try it!
> http://webhosting.yahoo.com/ps/sb/
>
>
------------------------------------------------------------------------
---
>
------------------------------------------------------------------------
---
>
=====
"If you can imagine it, you can achieve it; if you can dream it, you can become it."
(William Arthur Ward)
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]