Prev: windows explorer crashes - can you help?
Next: Exactly how much control does a Windows Domain (Active Directory) Administrator have over an XP machine?
From: Lars Uffmann on 9 Jul 2010 08:21
Title says it all: Just by joining the machine to a domain, how much
control do domain admins get over the system?
- can they control update rollouts to the domain clients?
- can they remote access administrative shares (\\machine\c$,
- can they manipulate the registry settings?
- can they use remote Desktop services?
If the answer is "yes" to my first example, I guess that would mean full
control over the computer...
Next question would be: Is it possible to lock out domain admins from
your computer (completely) if you don't trust them? Given of course that
you have local administrator rights and join the machine to the active
And how would you do that if it is possible?
Happy for any help!
From: Bruce Chambers on 9 Jul 2010 09:34
Lars Uffmann wrote:
> Title says it all: Just by joining the machine to a domain, how much
> control do domain admins get over the system?
> - can they control update rollouts to the domain clients?
> - can they remote access administrative shares (\\machine\c$,
> \\machine\d$ etc)?
> - can they manipulate the registry settings?
> - can they use remote Desktop services?
Yes, to all.
> If the answer is "yes" to my first example, I guess that would mean full
> control over the computer...
Exactly. After all, the computer isn't your property, it's your
> Next question would be: Is it possible to lock out domain admins from
> your computer (completely) if you don't trust them?
No, and, in many companies, attempting violate company policies in this
manner is a shortcut to the unemployment line, since one would be
tampering with, and potentially sabotaging, company property, as well as
ignoring one's "terms of employment."
> Given of course that
> you have local administrator rights and join the machine to the active
> directory yourself...
Only domain administrators, or specially designated accounts, can join
a computer to a domain.
> And how would you do that if it is possible?
Anything is possible, but, if you have to ask, you clearly lack the
Help us help you:
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. ~Benjamin Franklin
Many people would rather die than think; in fact, most do. ~Bertrand Russell
The philosopher has never killed any priests, whereas the priest has
killed a great many philosophers.
~ Denis Diderot
From: Lars Uffmann on 12 Jul 2010 05:50
Bruce Chambers wrote:
> There are multiple methods, some built into the OS, some provided by
> 3rd party vendors. You'll have to ask *your* domain which specific
> mechanism(s) *he/she* uses.
I am pretty sure they will say "none". Or even claim that they don't
have control over systems :) And even if they don't intend to access
clients, we have spies (according to our IT security department the
question is not IF but HOW MANY), and there is no reason to assume none
of them would have access to domain admin accounts.
> Perhaps, but I've no way of confirming that, have I?
Doesn't really matter though, for this topic.
> You'd also have to ensure that no one has physical access to the
> machine, as well. Without physical security, there is no security. It'd
I know. But it's a different thing if someone has to break into my
office, or can silently read out my computers data over the network.
And even with my office doors unlocked (when I'm getting a coffee or
something), rebooting the computer and cracking passwords (or even
opening the case and removing the hard drive) takes definitely longer
and is more easily detected than logging on using a domain account and
simply accessing my data. And...
> File Encryption would stop an amateur from accessing your files, but
> only delay a professional.
....that is where TrueCrypt or the likes may come in useful. However I
disagree with you a little in the delaying part: If the encryption is
good (though I have no idea what kind of encryption quality can be
achieved without a huge performance impact), it would delay a
professional for a couple of years if not longer :)
>> That is not a really helpful answer.
> Nor was it intended to be. As a network administrator, myself, with
> a side specialty in computer/network security, I'm not going to
> knowingly assist an unknown individual compromise the security of some
> other administrator's network/domain.
I didn't ask for that kind of information, I asked for securing my
system against unwanted access. I guess you are aware that - if the
access is "authorized" and if the domain admins *tried* to access my
system - if I blocked them out successfully, they would surely notice
and get back to me about it... So I don't see an issue here.
However, I definitely disapprove of this "security by obscurity"
approach... By not openly discussing the means of corrupting/securing
any kind of System (and XP here), the people who benefit the most are
criminals that have a motivation to corrupt other people's systems...
If every computer in the whole wide world had a perfect firewall (no, I
don't mean physically cutting the network cable), that would be a severe
improvement of the current situation.
As for my situation here, I was looking for a mechanism that I can
*name* to our IT department and tell them "See? With *that* mechanism,
the active directory inclusion of all machines will give you FULL
CONTROL over each system, if you so wish." Because I know if that can be
proven, the topic will be discussed again - there are a lot of institute
IT managers here that disapprove of such a thing.
Best Regards & thanks for the info anyways!