Solved

(Possible) Rogue Domain Admin: How to control / monitor access?

Posted on 2007-03-25
6
348 Views
Last Modified: 2013-12-04
My company has a Windows 2000 domain with various member servers including a NAS running Appliance Server 2003.

By company policy there are two people that have Domain Administrator level access, myself and one other.  Based on some comments he's made recently I suspect that he's been digging into files on the NAS that shouldn't be seen by him.  I did explicitly deny him access on some shares, but as a domain admin he can simply reset the permissions.

My question is how to monitor his activities and how to prevent his access to sensitive files?


Thanks!
0
Comment
Question by:roberts0909
6 Comments
 
LVL 48

Assisted Solution

by:Jay_Jay70
Jay_Jay70 earned 50 total points
ID: 18789825
take away domain admin priviliges. No matter what you do, he can break it with enough persistance
0
 
LVL 51

Assisted Solution

by:Netman66
Netman66 earned 50 total points
ID: 18789834
Agreed.

Remove Domain Admin rights and Delegate the rights he needs.  This will only allow him to do whatever it is you've allowed.
0
 
LVL 6

Assisted Solution

by:e_vanheel
e_vanheel earned 100 total points
ID: 18789929
You could also turn on logging in the file system or login for the NAS.  This would you to setup auditing and monitor the log files.  

http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/13w2kadc.mspx

Look at the audit sections
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 70

Expert Comment

by:KCTS
ID: 18789961
Make sure that the nooo genuine administrators use the 'Adiminstrator' logon. Create individual accounts for all administrators and grant them the required rights. Rename the real 'Administrator' account and give it a long complex password. Write down the new administrator account name/password and store them in the safe or similar secure placed for use in an emergency.

Switch on Auditing either by amending. To audiit permission chnages you need to enable auditing for successful object access events, either by amedind the local machine policy or by using  a group policy. Either way, set the Audit object access policy under Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy to record Success.

To enable auditing of particular folders, open each folder's properties dialog box, select the Security tab, click Advanced, and select the Auditing tab of the Advanced Security Settings window. You want to monitor only for a successful change an object's ACL. Add or ammend the Everyone group and in the  Audit Entry for the folder make sure that the 'Change permissions'  option is selected of the folder. By aditing 'Everyone' you will be able to track whenever anyone changes the permissions - enen if they subsequently chnage them back.
0
 
LVL 70

Accepted Solution

by:
KCTS earned 300 total points
ID: 18789975
Don't know what happend there - i'll try again:
Make sure that no genuine administrators use the 'Adiminstrator' logon. Create individual accounts for all administrators and grant them the required rights. Rename the real 'Administrator' account and give it a long complex password. Write down the new administrator account name/password and store them in the safe or similar secure placed for use in an emergency.Do not use it routinely.

Switch on Auditing. To audiit permission changes you need to enable auditing for successful object access events, either by ameding the local machine policy or by using  a group policy. Either way, set the Audit object access policy under Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy to record Success for Object Access.

To enable auditing of particular folders, open each folder's properties dialog box, select the Security tab, click Advanced, and select the Auditing tab of the Advanced Security Settings window. You want to monitor only for a successful change an object's ACL. Add or ammend the Everyone group and in the  Audit Entry for the folder make sure that the 'Change permissions'  option is selected of the folder. By aditing 'Everyone' you will be able to track whenever anyone changes the permissions - even if they subsequently chnage them back.
0
 

Author Comment

by:roberts0909
ID: 18792663
Thanks all!
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
Learn about cloud computing and its benefits for small business owners.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question