none
Does it makes sense to try to deny domain administrators access to a domain computer? RRS feed

  • Question

  • I'm wondering if there is an official response to this question:

    Does it makes sense to try to deny domain administrators access to a domain computer?

    My instinct is to reply that the object should be another domain if the domain admin should be excluded from it.

    Michel

    ...  I'd like to clarify: the root of this question is about securing sensitive data such as corporate financial information, employee salaries, etc.  How does one secure sensitive information if the domain administrator is not to have access to the sensitive information.

    Michel

    Friday, May 7, 2010 3:37 PM

Answers

  • Rewrite you're domain admins under the policies as just that admins. Only for PW resets and updates without being able to extract but the problem is the database is easy to gain access to so it doesn't matter how much you restrict them they still have the database which contains all of the info above. So it's a catch 22 sorry. But if you can't trust you're admin why keep him/her and make them sign a confidentiality clause going thru an attourney 9 times out of 10 they quit then you move on too the next that maybe you can trust i would have to say key loggers and password on every directory and record the four W's who, what, where and why?

    Guru C0der

    • Proposed as answer by Guru C0der Tuesday, May 11, 2010 7:16 AM
    • Unproposed as answer by Mitch_Thebeau Thursday, May 13, 2010 9:06 PM
    • Marked as answer by Kevin Remde Sunday, May 23, 2010 12:49 PM
    • Unmarked as answer by Mitch_Thebeau Friday, May 28, 2010 9:21 PM
    • Marked as answer by Kevin Remde Wednesday, June 2, 2010 12:06 PM
    Tuesday, May 11, 2010 7:16 AM
  • I thought Mr. C0der's reply was a good one.  Though I certainly understand that sometimes it is hard to ensure your customer that it is enough to trust administrators. 

    I recommend you look at some of the tools that can help you plan your security strategy carefully.. and then conisder the kinds of automated auditing you implement.  There have been a number of improvements to the detail available in auditing things such as access success or failure.  Perhaps if you describe and document how you are able to watch the moves that every administrator makes, and are able to see if anyone is stepping out of line, you'll go a long way to ease your customer's concerns.

    Here are some resources for you, in case you haven't seen these:

    Windows Server 2008 Security Guide: http://www.microsoft.com/downloads/details.aspx?FamilyID=fb8b981f-227c-4af6-a44b-b115696a80ac&DisplayLang=en

    What's New In Security and Auditing in Windows Server 2008 R2: http://technet.microsoft.com/en-us/library/dd560628(WS.10).aspx

    Windows Server 2008 Security Baseline Solution Accelerator: http://technet.microsoft.com/en-us/library/cc514539.aspx

     


    Kevin Remde US IT Evangelism - Microsoft Corporation http://blogs.technet.com/kevinremde
    • Marked as answer by Kevin Remde Sunday, May 23, 2010 1:05 PM
    • Unmarked as answer by Mitch_Thebeau Friday, May 28, 2010 9:22 PM
    • Marked as answer by Kevin Remde Wednesday, June 2, 2010 12:06 PM
    Sunday, May 23, 2010 1:04 PM
  • Mitch,

    No matter how "off the table" you think the notion of trusting your administrator is; it is what it is.  As Falcon said, there is going to have to be some amount of trust involved.  This person(s) have at the very least access to the phsical resources that are managing your information.  That fact alone means that, if they are sufficiently motivated, they can do whatever they want with your data. 

    Having a good administrator you can trust to a great extent is going to still be part of the solution.  Auditing is another.  And having another trusted (there's that word again) third party do a thorough secuirty audit, make recommendations, and finally implement the on-going auditing of data access is how you can finally "trust, but verify" that your data is not being improperly accessed or misused.

    So the solution is giong to have to involve at least two parts:

    1. Administrator(s) you an trust, and who understand that any improper access to confidential information will be grounds for immediate termination and possible criminal charges.
    2. Third-party security expertese who can survey, inventory, design, implement, and monitor in an on-going way the auditing required.

    And if money is no object, you can hire additional people to audit the auditors.  And so on.   And so on.

     


    Kevin Remde US IT Evangelism - Microsoft Corporation http://blogs.technet.com/kevinremde
    • Marked as answer by Kevin Remde Wednesday, June 2, 2010 12:06 PM
    Sunday, May 30, 2010 11:56 AM

All replies

  • Rewrite you're domain admins under the policies as just that admins. Only for PW resets and updates without being able to extract but the problem is the database is easy to gain access to so it doesn't matter how much you restrict them they still have the database which contains all of the info above. So it's a catch 22 sorry. But if you can't trust you're admin why keep him/her and make them sign a confidentiality clause going thru an attourney 9 times out of 10 they quit then you move on too the next that maybe you can trust i would have to say key loggers and password on every directory and record the four W's who, what, where and why?

    Guru C0der

    • Proposed as answer by Guru C0der Tuesday, May 11, 2010 7:16 AM
    • Unproposed as answer by Mitch_Thebeau Thursday, May 13, 2010 9:06 PM
    • Marked as answer by Kevin Remde Sunday, May 23, 2010 12:49 PM
    • Unmarked as answer by Mitch_Thebeau Friday, May 28, 2010 9:21 PM
    • Marked as answer by Kevin Remde Wednesday, June 2, 2010 12:06 PM
    Tuesday, May 11, 2010 7:16 AM
  • Thanks Guru,

    :)  Let's not start the trust discussion in this thread.  When I tried to search for the role of a domain administrator online all of found were arguements such as that which you offered. 

    What I need is to make it very clear to my client what the role of a domain administrator is.  Unfortunatly I can't find the MS documentation to support my assertion that it doesn't make sense to try to secure information on a domain from the domain administrator.  The definition of domain administrator seems embedded in the culture, that's why I "know" what a domain administrator is.  I'm looking for an official word from Microsoft so that I can demonstrate what a domain administrator is.

    Michel

     

    Thursday, May 13, 2010 6:54 PM
  • I thought Mr. C0der's reply was a good one.  Though I certainly understand that sometimes it is hard to ensure your customer that it is enough to trust administrators. 

    I recommend you look at some of the tools that can help you plan your security strategy carefully.. and then conisder the kinds of automated auditing you implement.  There have been a number of improvements to the detail available in auditing things such as access success or failure.  Perhaps if you describe and document how you are able to watch the moves that every administrator makes, and are able to see if anyone is stepping out of line, you'll go a long way to ease your customer's concerns.

    Here are some resources for you, in case you haven't seen these:

    Windows Server 2008 Security Guide: http://www.microsoft.com/downloads/details.aspx?FamilyID=fb8b981f-227c-4af6-a44b-b115696a80ac&DisplayLang=en

    What's New In Security and Auditing in Windows Server 2008 R2: http://technet.microsoft.com/en-us/library/dd560628(WS.10).aspx

    Windows Server 2008 Security Baseline Solution Accelerator: http://technet.microsoft.com/en-us/library/cc514539.aspx

     


    Kevin Remde US IT Evangelism - Microsoft Corporation http://blogs.technet.com/kevinremde
    • Marked as answer by Kevin Remde Sunday, May 23, 2010 1:05 PM
    • Unmarked as answer by Mitch_Thebeau Friday, May 28, 2010 9:22 PM
    • Marked as answer by Kevin Remde Wednesday, June 2, 2010 12:06 PM
    Sunday, May 23, 2010 1:04 PM
  • Thanks Kevin,

    I will look at those references. 

    I do appreciate Mr C0der's effort and I don't want to seem unappreciative.  However, the question I asked was "Does it makes sense to try to deny domain administrators access to a domain computer?". 

    The sort of response I would expect is: "No." 

    To which I might reply, "Could you reference some Microsoft documentation that explains this?"  

    And then I might receive another reply which includes links such as that which you have provided.  ... As it is, the way the conversation turned out, the response "No" was understood (and anticipated) by me and I have links to documentation provided by Mr Remde.

    I have some reading to do.

    Alternatively a reply such as "Yes, it does in fact make sense in certain circumstances to deny a domain administrator rights to domain machines.  Here's why you might want to do that.... <insert rest tech savvy response here>" would have been fine as well.

    There might be some confusion on my part as to the nature of the "Mark As Answer" functionality of these forums.  I was thinking that I would mark a person's response as an answer.  I cleared the green answer checks for now.

    Michel

    PS The "trust your administrator" discussion is off the table.  Please read everything above my name "Michel" with a kind tone, but below my name with a firm tone.

     

    Friday, May 28, 2010 9:55 PM
  • Hello Mitch,

    I think I would describe the Domain Admin as a sort of "Dungeon Master" who is privy to "insider" information. As C0der said, your Domain Admin needs to be a trustworthy person.

    You CAN deny the DA access to data through a hosted apps, a separate server where he has limited access, etc. but there will always be one person who administers the server/database and has full access to that database/server, so there will always be one DA who your client needs to trust, whether it be YOU or the DA or some unknown DA at a data center.

    If there are multiple Domain Admins, you can use Policies and MMC's to let other DA's manage servers without giving them full access.

    I think a combination of a trustworthy DA, signing an NDA combined with auditing and policy would be good.

    Miguel


    Miguel Fra / Falcon ITS
    Computer & Network Support , Miami, FL
    Visit our Knowledgebase Sharepoint Site

    Saturday, May 29, 2010 4:19 PM
  • Mitch,

    No matter how "off the table" you think the notion of trusting your administrator is; it is what it is.  As Falcon said, there is going to have to be some amount of trust involved.  This person(s) have at the very least access to the phsical resources that are managing your information.  That fact alone means that, if they are sufficiently motivated, they can do whatever they want with your data. 

    Having a good administrator you can trust to a great extent is going to still be part of the solution.  Auditing is another.  And having another trusted (there's that word again) third party do a thorough secuirty audit, make recommendations, and finally implement the on-going auditing of data access is how you can finally "trust, but verify" that your data is not being improperly accessed or misused.

    So the solution is giong to have to involve at least two parts:

    1. Administrator(s) you an trust, and who understand that any improper access to confidential information will be grounds for immediate termination and possible criminal charges.
    2. Third-party security expertese who can survey, inventory, design, implement, and monitor in an on-going way the auditing required.

    And if money is no object, you can hire additional people to audit the auditors.  And so on.   And so on.

     


    Kevin Remde US IT Evangelism - Microsoft Corporation http://blogs.technet.com/kevinremde
    • Marked as answer by Kevin Remde Wednesday, June 2, 2010 12:06 PM
    Sunday, May 30, 2010 11:56 AM
  • Hi,

    I did not find a definition of "domain administrator" in the referenced documentation.  It seems clear to me that I'm not being clear, and the gist of my question has not been understood.

    So let's start (over) with and end the conversation with a definition:  "domain administrator" is a user account, not a person.  User accounts do not sign NDAs.  They do not lie or steal corporate information.  So when I say that the subject of "trust" is off the table, I mean to say that we will not be discussing it.  Not because of pride or fear or any other unreasonable response on my part, but because it was not the reason that I asked the question.

    Falcon said "I think I would describe the Domain Admin as a sort of "Dungeon Master" who is privy to "insider" information."  If the role of domain administrator account is to have access to all things in a domain then that is what it is because those who created it created it that way.

    This puts into words the definition of domain administrator that I've had in my head.  Then back to my original question, and I'll paraphrase for clarity: does it make sense to try to change this definition by denying access to the domain administrator account?  An official response is not given in this conversation, so I am content with my original understanding.

    Michel

     - This is my thread, darn it, and I will decide the subject of it.

     

    Monday, July 5, 2010 1:36 PM
  • What are you expecting as an answer, Michel?  Or an "official response"?

    We can go the full-trust route: The usual, defacto definition of a "domain administrator" in the Windows Active Directory-driven organization is a user account who is a member of the Domain Admins group in the domain.  And as I said earlier, reasonable trust + verification is what you have to work with here.

    We can go the limited/delegated-authority route: Your definition of a "domain administrator" has some rights granted to him/her through delegation.. but they don't have membership in the Domain Admins group.

    "Does it make sense to try to change this definition by denying access to the domain administrator account?"  In the end it's up to you to define.  And then allow or deny... Grant or do not grant... delegate or don't... it's all up to you.  Different companies will define it differently and do it different ways and with different and various directory and user-rights management technologies.  The commonality of it all is that we have people who are given some amount of authority (no matter what you call them). 

    Kevin

    -This is a public thread, darn it, but it's up to you to be more clear about what you are asking, and treat the answerers with a little more respect.  They're just trying to help.  It's never good form to blame people for not understanding what you're asking.


    Kevin Remde US IT Evangelism - Microsoft Corporation http://blogs.technet.com/kevinremde
    • Edited by Kevin Remde Tuesday, July 6, 2010 1:11 PM spelling
    Monday, July 5, 2010 3:37 PM
  • Hello,

     

    Here's a pretty good definition of a domain admin . Personally I like dungeon master, not in a BOFH kind of way but rather in a D&D kind of way.

    Also, as Kevin noted, definitions are subjective. There's no right and wrong. It's up to you to decide.

     

    Cheers

     

     


    Miguel Fra / Falcon ITS
    Computer & Network Support , Miami, FL
    Visit our Knowledgebase Sharepoint Site

    Tuesday, July 6, 2010 3:03 AM