lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 02 Dec 2007 14:22:54 -0500
From: Valdis.Kletnieks@...edu
To: happy nino <nadtec@...mail.com>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: need help in managing administrators

On Sun, 02 Dec 2007 09:42:26 GMT, happy nino said:
> Hi All,i've a problem in my organization that we have several domain admins,
> we are in the process of removing most of them but i need to have a person
> only authorized to installnew software to users' computers but without having
> access to other parts of the users machines, is this possible ?

What exactly are you trying to accomplish, given that if they are allowed to
install software, they are allowed to install software that will then at a
later point in time give them access to other parts of the machine?  There's no
"don't allow the installation of trojaned software" flag.  Also, if you're
backing up the machines (you *do* back them up, right?), your admin can
probably just restore the files from backup into some other directory...

Have you looked at using something like EFS or BitLocker *and turn off key
escrow* so the admin's keys don't work?  Of course, this makes backups
"interesting", and if you have an Internal Audit group, they may have a cow
about non-escrowed keys if they have a clue.

It would probably be easier to answer this one if you were able to say
specifically what "other parts" you didn't want the admins to be getting at,
and why you can't just use "if you abuse your privs, you're fired and we're
calling the local DA" to keep them in line (this works for most places,
if you pay your admins a fair wage, but of course some particularly high-value
targets invite high-risk attacks).

Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ