Exactly how much control does a Windows Domain (Active Directory)Administrator have over an XP machine?
in [Using XP]
|
Prev: windows explorer crashes - can you help?
Next: Exactly how much control does a Windows Domain (Active Directory) Administrator have over an XP machine?
From: Lars Uffmann on 9 Jul 2010 08:21 Title says it all: Just by joining the machine to a domain, how much control do domain admins get over the system? e.g.: - can they control update rollouts to the domain clients? - can they remote access administrative shares (\\machine\c$, \\machine\d$ etc)? - can they manipulate the registry settings? - can they use remote Desktop services? If the answer is "yes" to my first example, I guess that would mean full control over the computer... Next question would be: Is it possible to lock out domain admins from your computer (completely) if you don't trust them? Given of course that you have local administrator rights and join the machine to the active directory yourself... And how would you do that if it is possible? Happy for any help! Lars
From: Bruce Chambers on 9 Jul 2010 09:34 Lars Uffmann wrote: > Title says it all: Just by joining the machine to a domain, how much > control do domain admins get over the system? > Total control. > e.g.: > - can they control update rollouts to the domain clients? > - can they remote access administrative shares (\\machine\c$, > \\machine\d$ etc)? > - can they manipulate the registry settings? > - can they use remote Desktop services? > Yes, to all. > If the answer is "yes" to my first example, I guess that would mean full > control over the computer... > Exactly. After all, the computer isn't your property, it's your employer's. > Next question would be: Is it possible to lock out domain admins from > your computer (completely) if you don't trust them? No, and, in many companies, attempting violate company policies in this manner is a shortcut to the unemployment line, since one would be tampering with, and potentially sabotaging, company property, as well as ignoring one's "terms of employment." > Given of course that > you have local administrator rights and join the machine to the active > directory yourself... > Only domain administrators, or specially designated accounts, can join a computer to a domain. > And how would you do that if it is possible? > Anything is possible, but, if you have to ask, you clearly lack the requisite skills. -- Bruce Chambers Help us help you: http://www.catb.org/~esr/faqs/smart-questions.html http://support.microsoft.com/default.aspx/kb/555375 They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. ~Benjamin Franklin Many people would rather die than think; in fact, most do. ~Bertrand Russell The philosopher has never killed any priests, whereas the priest has killed a great many philosophers. ~ Denis Diderot
From: Lars Uffmann on 12 Jul 2010 05:50
Bruce Chambers wrote: > There are multiple methods, some built into the OS, some provided by > 3rd party vendors. You'll have to ask *your* domain which specific > mechanism(s) *he/she* uses. I am pretty sure they will say "none". Or even claim that they don't have control over systems :) And even if they don't intend to access clients, we have spies (according to our IT security department the question is not IF but HOW MANY), and there is no reason to assume none of them would have access to domain admin accounts. > Perhaps, but I've no way of confirming that, have I? Doesn't really matter though, for this topic. > You'd also have to ensure that no one has physical access to the > machine, as well. Without physical security, there is no security. It'd I know. But it's a different thing if someone has to break into my office, or can silently read out my computers data over the network. And even with my office doors unlocked (when I'm getting a coffee or something), rebooting the computer and cracking passwords (or even opening the case and removing the hard drive) takes definitely longer and is more easily detected than logging on using a domain account and simply accessing my data. And... > File Encryption would stop an amateur from accessing your files, but > only delay a professional. ....that is where TrueCrypt or the likes may come in useful. However I disagree with you a little in the delaying part: If the encryption is good (though I have no idea what kind of encryption quality can be achieved without a huge performance impact), it would delay a professional for a couple of years if not longer :) >> That is not a really helpful answer. > > Nor was it intended to be. As a network administrator, myself, with > a side specialty in computer/network security, I'm not going to > knowingly assist an unknown individual compromise the security of some > other administrator's network/domain. I didn't ask for that kind of information, I asked for securing my system against unwanted access. I guess you are aware that - if the access is "authorized" and if the domain admins *tried* to access my system - if I blocked them out successfully, they would surely notice and get back to me about it... So I don't see an issue here. However, I definitely disapprove of this "security by obscurity" approach... By not openly discussing the means of corrupting/securing any kind of System (and XP here), the people who benefit the most are criminals that have a motivation to corrupt other people's systems... If every computer in the whole wide world had a perfect firewall (no, I don't mean physically cutting the network cable), that would be a severe improvement of the current situation. As for my situation here, I was looking for a mechanism that I can *name* to our IT department and tell them "See? With *that* mechanism, the active directory inclusion of all machines will give you FULL CONTROL over each system, if you so wish." Because I know if that can be proven, the topic will be discussed again - there are a lot of institute IT managers here that disapprove of such a thing. Best Regards & thanks for the info anyways! Lars |