From: Lars Uffmann on
Bruce Chambers wrote:
> Lars Uffmann wrote:
>> Title says it all: Just by joining the machine to a domain, how much
>> control do domain admins get over the system?
> Total control.

Could you be a bit more specific? As to: what mechanism would give
control over systems? Like: Is there an established service (like could
you turn on remote desktop as a domain admin, and access the computer
with that) or would you need to somehow get a Windows update that the
client will deem "official", which gives you remote access?

> Exactly. After all, the computer isn't your property, it's your
> employer's.

That's true for the computer, not necessarily for the products of my
work. Different legislation may apply where you live. There's also -
depending on where you live - a right to privacy regarding certain
aspects, including your email (just like private phone calls, to a
degree, are allowed at work).

But that is off the point :)

>> Next question would be: Is it possible to lock out domain admins from
>> your computer (completely) if you don't trust them?
>
> No, and, in many companies, attempting violate company policies in
> this manner is a shortcut to the unemployment line, since one would be
> tampering with, and potentially sabotaging, company property, as well as
> ignoring one's "terms of employment."

Oh, you're getting me completely wrong: It is not about violating
company policies, it is all about complying with the policies without
giving the IT management full control over the indivivuals PC. Because
that is not what they say they want (at least they do not admit it
openly), so unless they change their current set of rules, they cannot
enforce any rules that forbid you from securing your system against
unauthorized access. Unless of course, the only way to secure the system
is to NOT join the active directory.

> Only domain administrators, or specially designated accounts, can
> join a computer to a domain.

Yes, we have our own IT manager in the department, and we can join our
systems ourselves. I've done it myself, after having the proper role for
a while (testing stage).

>> And how would you do that if it is possible?
> Anything is possible, but, if you have to ask, you clearly lack the
> requisite skills.

That is not a really helpful answer. Obviously I was asking, because I
didn't know yet - and this is a forum where I'd think some know-how on
the subject would be available to learn more about.

Best Regards,

Lars
From: Bruce Chambers on
Lars Uffmann wrote:
> Bruce Chambers wrote:
> > Lars Uffmann wrote:
> >> Title says it all: Just by joining the machine to a domain, how much
> >> control do domain admins get over the system?
> > Total control.
>
> Could you be a bit more specific?



Total, as in everything.


> As to: what mechanism would give
> control over systems? Like: Is there an established service (like could
> you turn on remote desktop as a domain admin, and access the computer
> with that) or would you need to somehow get a Windows update that the
> client will deem "official", which gives you remote access?
>

There are multiple methods, some built into the OS, some provided by
3rd party vendors. You'll have to ask *your* domain which specific
mechanism(s) *he/she* uses. (Even if there were a simple,
straight-forward answer, I certainly wouldn't divulge it.)


>> Exactly. After all, the computer isn't your property, it's your
>> employer's.
>
> That's true for the computer, not necessarily for the products of my
> work. Different legislation may apply where you live.


Perhaps, but I've no way of confirming that, have I?


> There's also -
> depending on where you live - a right to privacy regarding certain
> aspects, including your email (just like private phone calls, to a
> degree, are allowed at work).
>

Perhaps, but I've no way of confirming that, have I?

> But that is off the point :)
>

Too true!

>>> Next question would be: Is it possible to lock out domain admins from
>>> your computer (completely) if you don't trust them?
>>
>> No, and, in many companies, attempting violate company policies in
>> this manner is a shortcut to the unemployment line, since one would be
>> tampering with, and potentially sabotaging, company property, as well
>> as ignoring one's "terms of employment."
>
> Oh, you're getting me completely wrong: It is not about violating
> company policies, it is all about complying with the policies without
> giving the IT management full control over the indivivuals PC. Because
> that is not what they say they want (at least they do not admit it
> openly), so unless they change their current set of rules, they cannot
> enforce any rules that forbid you from securing your system against
> unauthorized access. Unless of course, the only way to secure the system
> is to NOT join the active directory.
>

You'd also have to ensure that no one has physical access to the
machine, as well. Without physical security, there is no security.
It'd take less than 5 minutes for anyone with physical access to the
computer, a small amount of knowledge, and any of the dozens of
Linux-based password cracking tools that are freely available to anyone
who can use Google.

File Encryption would stop an amateur from accessing your files,
but only delay a professional.


>> Only domain administrators, or specially designated accounts, can
>> join a computer to a domain.
>
> Yes, we have our own IT manager in the department, and we can join our
> systems ourselves. I've done it myself, after having the proper role for
> a while (testing stage).
>
>>> And how would you do that if it is possible?
>> Anything is possible, but, if you have to ask, you clearly lack
>> the requisite skills.
>
> That is not a really helpful answer.


Nor was it intended to be. As a network administrator, myself, with a
side specialty in computer/network security, I'm not going to knowingly
assist an unknown individual compromise the security of some other
administrator's network/domain. Everything you say may be true, and you
may have the best of intentions, as well as local laws on your side, but
I have no way of knowing that. As a network security professional, my
default position is "Trust no one." (And I've found that by employing
this attitude towards everyone, I'm very rarely disappointed, and
occasionally pleasantly surprised.)


--

Bruce Chambers

Help us help you:
http://www.catb.org/~esr/faqs/smart-questions.html

http://support.microsoft.com/default.aspx/kb/555375

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. ~Benjamin Franklin

Many people would rather die than think; in fact, most do. ~Bertrand Russell

The philosopher has never killed any priests, whereas the priest has
killed a great many philosophers.
~ Denis Diderot