|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: Subdomain security
Wim_Remes
msp.be
Date: Sat Dec 18 2004 - 15:45:04 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi,
First, you were correct when saying that the only true security boundary is
the forest...but I'm always looking on what I'm trying to secure. There
are a few reasons to implement seperate forests, there's a million others
for making extensive use of delegation of authority. In my opinion there
should only be one single ID that has 'enterprise admin' rights and that
should be unknown to any normal admin. It should be only used when a change
to the root domain is required and approved through change management. 99%
of all daily admin tasks can be performed without domain admin rights, you
can allow anything to a simple user by using delegation of authority (and
he won't be able to make himself enterprise admin). with proper ID
Management and procedures implemented, you would have a dream of a domain,
not compromising security on any level.
Changes to the group membership can be ruled out by using a 'restricted
groups' policy on the domain level.
there's lots of info about restricted groups around, I'm posting the
jsiinc.com link cuz JSI has loads of other information (both
security-related and general) that can help you out on many isssues.
Regards,
Wim Remes
MCSE:Security
-----"Renouf, Phil" <Phil.Renouftdsecurities.com> wrote: -----
To: "Scott Mulcahy" <scottcm-secfocushotmail.com>,
<focus-mssecurityfocus.com>
From: "Renouf, Phil" <Phil.Renouftdsecurities.com>
Date: 17/12/2004 19h13
cc: <orenheld.org.il>
Subject: RE: Subdomain security
> I'm fairly certain that an enterprise admin can get admin privs
anywhere in the forest.
Not to mention that as a Domain Admin it is very easy for someone to get
themselves enterprise admin rights. One important thing to monitor is
changes to the group membership of the major admin groups (Enterprise,
Schema, Domain etc.). I know that MOM does this pretty well, but I am
sure other monitoring tools offer that as an option.
Phil
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]