Myths #3: Give without giving

no giftOne more mystery for me: how give everything without giving everything. This is exactly the question I see very often in various forums and other places. This is the question I hear personally from time to time. It can be in asked in several forms, the most frequent forms are:

1) How can I give a user local admin rights and be sure that they cannot do <put your own stuff here>?

2) How can I restrict my domain admin from accessing the <your very valuable information>?

Naturally, at this point I start boiling and all that stuff, but let’s look at it again.

Well, granting the user administrative rights in a system is going to give them administrative rights: that’s the point. And any administrative access means that the user can do everything. What it cannot do right now, they can grant themselves rights to do. Period.

In first case you can only audit the user’s actions, that’s all, you can do. Moreover, the audit collection and processing must be done on a remote system, which is not accessible (let alone administered) by the user in question. Any other variant, like granting local admin rights, but denying access to some aspects of the system… It just won’t work.

The second case is a bit more complicated, because system we are discussing are usually more distributed. However, even in such occurrence, you can do not much more then in previous one. Again: strict audit with no chances for the admin to tamper with it. The only exclusion for that rule is if you build the system, which, say, encrypts the data and which is not governed by the domain admin. But this is tricky, especially, considering the fact, that the admin can get the data from the computer of the user which decipher the data to work with it (pass-the-hash, or any other attack is possible if he has administrative access to any part of the “secure system”).

Therefore, really, only audit for critical data, including audit of access to backup and restore system.

Any other ideas?

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s