Fog Creek Software
Discussion Board




Securing W2000 on a domain "Against" admin?

Hi all!!

As the local "he knows a bit more than we do, so he must be an expert" guru on CompSec, I've been asked the following:

Is it possible to secure a computer so that the information that's handled / stored in it is *_secure__*, when the computer is on a W2000 Domain?

The computer user is _not_ the domain Admin, nor does he has Admin privileges... And the idea would be to log on as a Domain user...

My gut feeling is "can't be done", but I'd like to be proven otherwise, or to be given a reason that'd finish the argument (someone said it could be done, as the Domain Admin user group could be taken out of the local Administrator group, but it kind of sounds wrong)...

Yes, I know it sounds weird, but any pointers to good overviews on "how to secure workststations on a Windows domain where you might not fully trust the admin..." would be _very_ welcome.

Thanks a lot

Javier Jarava
Friday, March 12, 2004

Perhaps disable the "Net Logon" service and/or the "Server" service: I think that would prevent anyone from logging in to the computer from the network (they could only login from the physical keyboard).

Christopher Wells
Friday, March 12, 2004

Take the domain administrators out of the local admin group.

Then to be really sure set NTFS file permissions on all dirives so that only the local admin and your friend's user account and system can access the files.

And then change the lock to your office, since anybody can log onto an NT machine and then take ownership of all files, using varying floppy utilities available on the web, including a Linux program. Passport securing the Bios and changing the boot order might do as a temporary expedient until materials provide the new lock.

First though, I would advise your friend to get cosy with an employment lawyer unless he's high up in the food chain.

Stephen Jones
Friday, March 12, 2004

AFAIK there is no strategy that can save you from a rogue admin.
The system can make it harder for the rogue admin to cover his tracks, but not protect you from it.

see also:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/plan/addeladm.mspx#XSLTsection124121120120

<qoute>
Domain owners always maintain the right to access data stored in a domain or hosted on computers joined to a domain. The service administrators of a domain cannot be prevented from viewing or manipulating the data stored in a domain or on computers joined to a domain. This is a consequence of the following characteristics of Active Directory:

• The Builtin\Administrators group on a domain controller can take ownership of any object in the domain and then read, modify or delete it, regardless of the previous ACL on the object. This feature gives service administrators a way to correct errors in ACLs on objects. Therefore, organizations that store data in OUs of a domain must trust the domain owner.

• A service administrator can maliciously modify the system software on a domain controller to bypass normal security checks. A service administrator can use this procedure to view or manipulate any object in the domain, regardless of the ACL on the object. Consequently, organizations that store data in OUs of a domain must trust the domain owner.

• A service administrator can use the Restricted Groups security policy to grant any user or group administrative access to any computer joined to the domain. This feature ensures that an administrator can always gain control over a computer joined to the domain, regardless of the intentions of the computer owner. Therefore, organizations that join computers to a domain must trust the domain owner.

• If a user or group in a domain is granted access to data stored on a computer joined to the forest, the domain owner of the user's or group's domain might reset the user's password or manipulate the group's membership and by so doing gain access to the data. Consequently, organizations that join computers to a forest must trust every domain owner in the forest.
</qoute>

Just me (Sir to you)
Friday, March 12, 2004

Thanks for the advice...

The person in question (not my friend, but a client) _IS_ high on the food chain, as a matter of fact, the "alternative" is having the IS dept. "build" a network only for himself and his secretary, and get them a dedicated GW to the 'net, etc...

What I was wondering is, you do that (user accounts, groups, NTFS permissions), and then the admin creates a script that copies all the files in My Documents, or that creates a new admin account, or whatever, and then uses Group Policy to have the script run on the next logon (for example?)

It's just an idea...

Javier Jarava
Friday, March 12, 2004

Sorry Javier,

perhaps I am missing something but I fail to see how anything you propose makes a difference. The enterprise admin has all the powers to control every last bit of the authentication and authorization system. So either you cut the ties (not join the domain), or trust the admin.

Just me (Sir to you)
Friday, March 12, 2004

>perhaps I am missing something but
>I fail to see how anything you
>propose makes a difference

That was precisely my point. My "gut feeling" was that it wasn't possible, but I wanted confirmation (I have been known to be mistaken sometimes ;)

My last post was written _before_ your highly informative (thanks!!); when I hit "submit" I saw my questions were already answered... It was just that I lost on the "race condition"

Again, thanks very much for the incredible responses!

Javier Jarava
Friday, March 12, 2004

Couldn't "your friend" just fire the PITA admin?


Friday, March 12, 2004

If this is a data integrity issue, take a look at PGP-disk or similar disk encryption utilities. Of course this doesn't preclude the administrator from installing a keylogger and getting into it that way, but an action like that is much more explicit (and criminal) than casually browsing to \\system\c$\documents and settings.

Dennis Forbes
Friday, March 12, 2004

A linux box, so you can still use samba to play with the standard file shares but it is an island as far as the local disks are concerned?

i like i
Friday, March 12, 2004

How does the domain admin get access to the machine in the first place if he doesn't have the NTFS permissions to read the Hard Disk?

Frankly it would be easier to use PGP and/or use a removeable hard disk which he puts in his briefcase every night.

Stephen Jones
Friday, March 12, 2004

No name:
In all likelyhood what's going on here isn't a 'I don't want the Admin to see my stuff', but rather 'It's secret and the Admin isn't on the need-to-know list, therefore we have to setup security so he can't see it'. Good security practice is to make sure that NO ONE who doesn't need to use the information can possibly get at it. In most organizations you balance this against the extreme utility of having IT personel able to fix anything without delay or difficulty, and you decide that having an administrator with total power is worth the risks.

This situation would appear to be a bit different. In this case, a domain is perhaps not the right security model (at least for the client).

Sounds like the client needs to give up being on the domain.

Michael Kohne
Friday, March 12, 2004

I am not too knowledgable about this but you could probably make life difficult and do EFS on a local volume without any data recovery agents and keeping the user keys on a smartcard.
Even so it is just obstruction. You can't keep out a determined enterprise admin.

Just me (Sir to you)
Friday, March 12, 2004

Yea, looking again I see the point. When the other guy logs in the admin can run a script making the user an admin and using the users new permissions to take over control and put the admin back in the local administrators group and also change the file permsiions.

Beginning to look like an arms war.

Why doesn't he and the secretary access the internet through a modem? Configure the machine connected to the domain with a second network card that joins to the bosses machine that is connected to the internet, so he's got a private connection and the public one.

Stephen Jones
Friday, March 12, 2004

Perhaps disabling the "Net Logon" and/or the "Server" service would do: my machine is like this, so I can connect to other machines but they cannot connect to mine.

It would mean that his secretary couldn't connect to his machine (except by logging into it locally); they could exchange their selected files via email or something.

Christopher Wells
Friday, March 12, 2004

All this so he can surf porn without being blackmailed??

tone-lowerer
Friday, March 12, 2004

If you log on as a local user you can still access domain resources. You merely need to provide a domain password.

Now setting up Outlook could be tricky, but I am sure it could be done.

Stephen Jones
Friday, March 12, 2004

Well...you could run a VMWare/Virtual PC 2004 instance of win2k (not on domain set passwords accordingly) on your desktop (which is on the domain) - store/copy all the data on the VM....for added security at the end of the day, take the firewire/usb hard drive with the virtual machine home with you.  No, not ideal...but it accomplishes the goal partially methinks.

GiorgioG
Friday, March 12, 2004

But then the admin could simply copy the VMWare HD file and get all the files that way.

Just me (Sir to you)
Monday, March 15, 2004

*  Recent Topics

*  Fog Creek Home