lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <8a6b8e350712021134l72100737o143d1d7e5367f8e@mail.gmail.com>
Date: Sun, 2 Dec 2007 20:34:01 +0100
From: "James Matthews" <nytrokiss@...il.com>
To: Valdis.Kletnieks@...edu
Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: Re: need help in managing administrators

Why are you removing the admins? based on what you wrote the computer
network will probably turn into a massive mess with all these programs
installed and users as admins..

On Dec 2, 2007 8:22 PM, <Valdis.Kletnieks@...edu> wrote:

> On Sun, 02 Dec 2007 09:42:26 GMT, happy nino said:
> > Hi All,i've a problem in my organization that we have several domain
> admins,
> > we are in the process of removing most of them but i need to have a
> person
> > only authorized to installnew software to users' computers but without
> having
> > access to other parts of the users machines, is this possible ?
>
> What exactly are you trying to accomplish, given that if they are allowed
> to
> install software, they are allowed to install software that will then at a
> later point in time give them access to other parts of the machine?
>  There's no
> "don't allow the installation of trojaned software" flag.  Also, if you're
> backing up the machines (you *do* back them up, right?), your admin can
> probably just restore the files from backup into some other directory...
>
> Have you looked at using something like EFS or BitLocker *and turn off key
> escrow* so the admin's keys don't work?  Of course, this makes backups
> "interesting", and if you have an Internal Audit group, they may have a
> cow
> about non-escrowed keys if they have a clue.
>
> It would probably be easier to answer this one if you were able to say
> specifically what "other parts" you didn't want the admins to be getting
> at,
> and why you can't just use "if you abuse your privs, you're fired and
> we're
> calling the local DA" to keep them in line (this works for most places,
> if you pay your admins a fair wage, but of course some particularly
> high-value
> targets invite high-risk attacks).
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
http://search.goldwatches.com/?Search=Movado+Watches
http://www.jewelerslounge.com
http://www.goldwatches.com

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ