Solved

(Possible) Rogue Domain Admin: How to control / monitor access?

Posted on 2007-03-25
6
342 Views
Last Modified: 2013-12-04
My company has a Windows 2000 domain with various member servers including a NAS running Appliance Server 2003.

By company policy there are two people that have Domain Administrator level access, myself and one other.  Based on some comments he's made recently I suspect that he's been digging into files on the NAS that shouldn't be seen by him.  I did explicitly deny him access on some shares, but as a domain admin he can simply reset the permissions.

My question is how to monitor his activities and how to prevent his access to sensitive files?


Thanks!
0
Comment
Question by:roberts0909
6 Comments
 
LVL 48

Assisted Solution

by:Jay_Jay70
Jay_Jay70 earned 50 total points
ID: 18789825
take away domain admin priviliges. No matter what you do, he can break it with enough persistance
0
 
LVL 51

Assisted Solution

by:Netman66
Netman66 earned 50 total points
ID: 18789834
Agreed.

Remove Domain Admin rights and Delegate the rights he needs.  This will only allow him to do whatever it is you've allowed.
0
 
LVL 6

Assisted Solution

by:e_vanheel
e_vanheel earned 100 total points
ID: 18789929
You could also turn on logging in the file system or login for the NAS.  This would you to setup auditing and monitor the log files.  

http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/13w2kadc.mspx

Look at the audit sections
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 70

Expert Comment

by:KCTS
ID: 18789961
Make sure that the nooo genuine administrators use the 'Adiminstrator' logon. Create individual accounts for all administrators and grant them the required rights. Rename the real 'Administrator' account and give it a long complex password. Write down the new administrator account name/password and store them in the safe or similar secure placed for use in an emergency.

Switch on Auditing either by amending. To audiit permission chnages you need to enable auditing for successful object access events, either by amedind the local machine policy or by using  a group policy. Either way, set the Audit object access policy under Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy to record Success.

To enable auditing of particular folders, open each folder's properties dialog box, select the Security tab, click Advanced, and select the Auditing tab of the Advanced Security Settings window. You want to monitor only for a successful change an object's ACL. Add or ammend the Everyone group and in the  Audit Entry for the folder make sure that the 'Change permissions'  option is selected of the folder. By aditing 'Everyone' you will be able to track whenever anyone changes the permissions - enen if they subsequently chnage them back.
0
 
LVL 70

Accepted Solution

by:
KCTS earned 300 total points
ID: 18789975
Don't know what happend there - i'll try again:
Make sure that no genuine administrators use the 'Adiminstrator' logon. Create individual accounts for all administrators and grant them the required rights. Rename the real 'Administrator' account and give it a long complex password. Write down the new administrator account name/password and store them in the safe or similar secure placed for use in an emergency.Do not use it routinely.

Switch on Auditing. To audiit permission changes you need to enable auditing for successful object access events, either by ameding the local machine policy or by using  a group policy. Either way, set the Audit object access policy under Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy to record Success for Object Access.

To enable auditing of particular folders, open each folder's properties dialog box, select the Security tab, click Advanced, and select the Auditing tab of the Advanced Security Settings window. You want to monitor only for a successful change an object's ACL. Add or ammend the Everyone group and in the  Audit Entry for the folder make sure that the 'Change permissions'  option is selected of the folder. By aditing 'Everyone' you will be able to track whenever anyone changes the permissions - even if they subsequently chnage them back.
0
 

Author Comment

by:roberts0909
ID: 18792663
Thanks all!
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now