Exactly how much control does a Windows Domain (Active Directory) Administrator have over an XP machine?
in [Using XP]
|
Prev: Exactly how much control does a Windows Domain (Active Directory)Administrator have over an XP machine?
Next: will SP4 for XP ever come?
From: Lars Uffmann on 9 Jul 2010 09:55 Bruce Chambers wrote: > Lars Uffmann wrote: >> Title says it all: Just by joining the machine to a domain, how much >> control do domain admins get over the system? > Total control. Could you be a bit more specific? As to: what mechanism would give control over systems? Like: Is there an established service (like could you turn on remote desktop as a domain admin, and access the computer with that) or would you need to somehow get a Windows update that the client will deem "official", which gives you remote access? > Exactly. After all, the computer isn't your property, it's your > employer's. That's true for the computer, not necessarily for the products of my work. Different legislation may apply where you live. There's also - depending on where you live - a right to privacy regarding certain aspects, including your email (just like private phone calls, to a degree, are allowed at work). But that is off the point :) >> Next question would be: Is it possible to lock out domain admins from >> your computer (completely) if you don't trust them? > > No, and, in many companies, attempting violate company policies in > this manner is a shortcut to the unemployment line, since one would be > tampering with, and potentially sabotaging, company property, as well as > ignoring one's "terms of employment." Oh, you're getting me completely wrong: It is not about violating company policies, it is all about complying with the policies without giving the IT management full control over the indivivuals PC. Because that is not what they say they want (at least they do not admit it openly), so unless they change their current set of rules, they cannot enforce any rules that forbid you from securing your system against unauthorized access. Unless of course, the only way to secure the system is to NOT join the active directory. > Only domain administrators, or specially designated accounts, can > join a computer to a domain. Yes, we have our own IT manager in the department, and we can join our systems ourselves. I've done it myself, after having the proper role for a while (testing stage). >> And how would you do that if it is possible? > Anything is possible, but, if you have to ask, you clearly lack the > requisite skills. That is not a really helpful answer. Obviously I was asking, because I didn't know yet - and this is a forum where I'd think some know-how on the subject would be available to learn more about. Best Regards, Lars
From: Bruce Chambers on 9 Jul 2010 20:26
Lars Uffmann wrote: > Bruce Chambers wrote: > > Lars Uffmann wrote: > >> Title says it all: Just by joining the machine to a domain, how much > >> control do domain admins get over the system? > > Total control. > > Could you be a bit more specific? Total, as in everything. > As to: what mechanism would give > control over systems? Like: Is there an established service (like could > you turn on remote desktop as a domain admin, and access the computer > with that) or would you need to somehow get a Windows update that the > client will deem "official", which gives you remote access? > There are multiple methods, some built into the OS, some provided by 3rd party vendors. You'll have to ask *your* domain which specific mechanism(s) *he/she* uses. (Even if there were a simple, straight-forward answer, I certainly wouldn't divulge it.) >> Exactly. After all, the computer isn't your property, it's your >> employer's. > > That's true for the computer, not necessarily for the products of my > work. Different legislation may apply where you live. Perhaps, but I've no way of confirming that, have I? > There's also - > depending on where you live - a right to privacy regarding certain > aspects, including your email (just like private phone calls, to a > degree, are allowed at work). > Perhaps, but I've no way of confirming that, have I? > But that is off the point :) > Too true! >>> Next question would be: Is it possible to lock out domain admins from >>> your computer (completely) if you don't trust them? >> >> No, and, in many companies, attempting violate company policies in >> this manner is a shortcut to the unemployment line, since one would be >> tampering with, and potentially sabotaging, company property, as well >> as ignoring one's "terms of employment." > > Oh, you're getting me completely wrong: It is not about violating > company policies, it is all about complying with the policies without > giving the IT management full control over the indivivuals PC. Because > that is not what they say they want (at least they do not admit it > openly), so unless they change their current set of rules, they cannot > enforce any rules that forbid you from securing your system against > unauthorized access. Unless of course, the only way to secure the system > is to NOT join the active directory. > You'd also have to ensure that no one has physical access to the machine, as well. Without physical security, there is no security. It'd take less than 5 minutes for anyone with physical access to the computer, a small amount of knowledge, and any of the dozens of Linux-based password cracking tools that are freely available to anyone who can use Google. File Encryption would stop an amateur from accessing your files, but only delay a professional. >> Only domain administrators, or specially designated accounts, can >> join a computer to a domain. > > Yes, we have our own IT manager in the department, and we can join our > systems ourselves. I've done it myself, after having the proper role for > a while (testing stage). > >>> And how would you do that if it is possible? >> Anything is possible, but, if you have to ask, you clearly lack >> the requisite skills. > > That is not a really helpful answer. Nor was it intended to be. As a network administrator, myself, with a side specialty in computer/network security, I'm not going to knowingly assist an unknown individual compromise the security of some other administrator's network/domain. Everything you say may be true, and you may have the best of intentions, as well as local laws on your side, but I have no way of knowing that. As a network security professional, my default position is "Trust no one." (And I've found that by employing this attitude towards everyone, I'm very rarely disappointed, and occasionally pleasantly surprised.) -- Bruce Chambers Help us help you: http://www.catb.org/~esr/faqs/smart-questions.html http://support.microsoft.com/default.aspx/kb/555375 They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. ~Benjamin Franklin Many people would rather die than think; in fact, most do. ~Bertrand Russell The philosopher has never killed any priests, whereas the priest has killed a great many philosophers. ~ Denis Diderot |