Solved

(Possible) Rogue Domain Admin: How to control / monitor access?

Posted on 2007-03-25
6
345 Views
Last Modified: 2013-12-04
My company has a Windows 2000 domain with various member servers including a NAS running Appliance Server 2003.

By company policy there are two people that have Domain Administrator level access, myself and one other.  Based on some comments he's made recently I suspect that he's been digging into files on the NAS that shouldn't be seen by him.  I did explicitly deny him access on some shares, but as a domain admin he can simply reset the permissions.

My question is how to monitor his activities and how to prevent his access to sensitive files?


Thanks!
0
Comment
Question by:roberts0909
6 Comments
 
LVL 48

Assisted Solution

by:Jay_Jay70
Jay_Jay70 earned 50 total points
ID: 18789825
take away domain admin priviliges. No matter what you do, he can break it with enough persistance
0
 
LVL 51

Assisted Solution

by:Netman66
Netman66 earned 50 total points
ID: 18789834
Agreed.

Remove Domain Admin rights and Delegate the rights he needs.  This will only allow him to do whatever it is you've allowed.
0
 
LVL 6

Assisted Solution

by:e_vanheel
e_vanheel earned 100 total points
ID: 18789929
You could also turn on logging in the file system or login for the NAS.  This would you to setup auditing and monitor the log files.  

http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/13w2kadc.mspx

Look at the audit sections
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 70

Expert Comment

by:KCTS
ID: 18789961
Make sure that the nooo genuine administrators use the 'Adiminstrator' logon. Create individual accounts for all administrators and grant them the required rights. Rename the real 'Administrator' account and give it a long complex password. Write down the new administrator account name/password and store them in the safe or similar secure placed for use in an emergency.

Switch on Auditing either by amending. To audiit permission chnages you need to enable auditing for successful object access events, either by amedind the local machine policy or by using  a group policy. Either way, set the Audit object access policy under Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy to record Success.

To enable auditing of particular folders, open each folder's properties dialog box, select the Security tab, click Advanced, and select the Auditing tab of the Advanced Security Settings window. You want to monitor only for a successful change an object's ACL. Add or ammend the Everyone group and in the  Audit Entry for the folder make sure that the 'Change permissions'  option is selected of the folder. By aditing 'Everyone' you will be able to track whenever anyone changes the permissions - enen if they subsequently chnage them back.
0
 
LVL 70

Accepted Solution

by:
KCTS earned 300 total points
ID: 18789975
Don't know what happend there - i'll try again:
Make sure that no genuine administrators use the 'Adiminstrator' logon. Create individual accounts for all administrators and grant them the required rights. Rename the real 'Administrator' account and give it a long complex password. Write down the new administrator account name/password and store them in the safe or similar secure placed for use in an emergency.Do not use it routinely.

Switch on Auditing. To audiit permission changes you need to enable auditing for successful object access events, either by ameding the local machine policy or by using  a group policy. Either way, set the Audit object access policy under Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy to record Success for Object Access.

To enable auditing of particular folders, open each folder's properties dialog box, select the Security tab, click Advanced, and select the Auditing tab of the Advanced Security Settings window. You want to monitor only for a successful change an object's ACL. Add or ammend the Everyone group and in the  Audit Entry for the folder make sure that the 'Change permissions'  option is selected of the folder. By aditing 'Everyone' you will be able to track whenever anyone changes the permissions - even if they subsequently chnage them back.
0
 

Author Comment

by:roberts0909
ID: 18792663
Thanks all!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Applying GPO for specific requirement 5 52
Monitoring software... 2 52
AD Replications issues 12 84
Windows Server 2003 Policy Preventing Updates 6 15
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Concerto provides fully managed cloud services and the expertise to provide an easy and reliable route to the cloud. Our best-in-class solutions help you address the toughest IT challenges, find new efficiencies and deliver the best application expe…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now