How to tackle the security risk an IT administrator generates

5 pts.
Tags:
Administrative privileges
Administrator
IT administration
Security
Security audits
Hello, im an auditor for global copany risks. One of the things that we look for is sepperation of functions. shortly said, you don't want the same person creating your bill's and be able to pay them (because he presents a serious security risk for commiting fraud.)
Now what to do with an Domain Administrator (IT department), he has access to all systems because of his job. Is theire some way to eliminate that risk?


Software/Hardware used:
windows server

Answer Wiki

Thanks. We'll let you know when a new response is added.

In order for someone to be able to resolve issues that will inevitably show up they will sometimes need to have top level access to the system that is having the problem.

Therefore you will always need to have someone with full access and with that will come some risks.

Discuss This Question: 12  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Koohiisan
    One option may be to have proper logging and auditing enabled on whatever systems the admin may need to touch. It would need to be set in such a way so that the admin could not disable or alter the logs.
    5,020 pointsBadges:
    report
  • Gabe9527
    regionalise the adminsitration - this would reduce the reach of one administrator and also aid to control. Auditing is key - no generic ID's and password. Aditional accounts for administation ie the administrator logs in each day with a user account and would have to sign in with his admin account to do that sort of work. this access could then be logged.
    11,005 pointsBadges:
    report
  • NickHutcheson1
    Dude, the Domain Administrator or I.T. Director/Systems Administrator not only SHOULD have full access but they need a backup person with the same authority in case of the human clause- vacation, sickness, unavailable. These people were hired by the company to perform these tasks. Yes, auditing on the machines and software should be turned on but the company has to have some level of trust with their employees. And anyone auditing I.T. should understand that. It could be disasterous for the company- true, but there are laws to procecute wrong doings like that. I will never intentionally mess up a system or data because I know how difficult it can be to correct it. I will kick my soapbox back into the corner.
    1,380 pointsBadges:
    report
  • Koohiisan
    Sadly, some admins have taken advantage of their authority to snoop on confidential data. I personally worked with an admin who routinely looked up the personnel files of young, female new hires in order to find out how old (and potentially datable) they were. He also secretly read their email on occasion. There is so much wrong with that! But, since we did not have auditing turned on (because I couldn't convince management to let us), there were not many ways for me to try and prove the things that were going on. Moral of the story: set up the proper auditing! Don't leave it to the admin to 'police himself'. And, for compilance in some situations, the admin is not supposed to have "full access" to certain data. Be familiar with your industry's regulations or you may end up with some serious fines!
    5,020 pointsBadges:
    report
  • TomLiotta
    ...he has access to all systems because of his job. Is theire some way to eliminate that risk? Well, the obvious way is not to give "access to all systems". Part of that depends on what is meant by "access" and "all systems". I have "access" to a number of systems that I can't do any significant actions on. Access can be pretty limited. If "all systems" means "all functions within a system", then that's far more than any system administrator needs. Why would a system admin need access to any business applications, for example? Regardless, auditing is the first half. Then comes monitoring. It's not useful to generate gigabytes of audit data if there is no monitoring of the content. But are we talking small business? Medium? Large? The size of the organization can strongly influence the amount and types of audit data, the availability of tools to help create and monitor it and the manpower to get any of it done. As for "eliminate", I'm pretty sure that's a step beyond our feasible technology. Minimize the risk down to an acceptable level. Each organization determines what's "acceptable". These things are always tradeoffs between cost and risk. Part of the cost is in how productivity is affected. In security, for example, you secure up to the level of protection deemed necessary while continuing to allow access to do some work. Lots of systems could be much more "secured" by removing network adapters and doing more work through direct-attach terminals, but that entails unacceptable costs nowadays. Not that terminals are expensive, but that so much productivity is lost. Auditing and monitoring is similar. Key-loggers might be used to capture every key-stroke to permanent storage. But who's going to interpret their meanings after some time passes? I don't think "eliminate" is valid at the moment. So, the only feasible answer seems to be to have a layered approach. Each layer adds protection, but each layer increases cost. The organization picks the number of layers that it can survive under. Tom
    125,585 pointsBadges:
    report
  • Shaddylink
    Turn on your pc firewall i f you have rights to do that.. another option is to uncheck file and print sharing in local area connection by doing this no one will be able access your pc
    125 pointsBadges:
    report
  • Pjb0222
    First, you are treating the Windows AD domain admin job and responsibilities as an unacceptable risk wanting to separate the job into sub jobs. Your do not understand that the domain admin _BY DESIGN_ has access to ALL windows systems joined to the domain. If he did not have that level of access, he could not resolve the issues he needs to address. This is baked into the OS and AD domain design. You need to accept how Windows OS and the AD domain are designed then create your risk assesment and audit from this starting point. The domain admin is in this place because of skill and trust. He is the person all lower level support rolls up to for issues within the domain. If you cannot trust this person they should not be in the position. All that said, turn on logging and monitor. Have alerts automatically sent for behaviors that you deem important to monitor. There are many monitoring products available to provide enhanced monitoring and document actions within the domain (a large organization should have some such product). This is your check on their behavior. One thing I think confuses people is the context of administrator, especialy in MS Windows, varies so greatly with context. Domain Administrator vs the person who administrates specific delegated functions within the domain. This is where your risk assesment and audit may be breaking down. Take a look at how you are defingin things vs how the term administrator is so loosely applied. One final point, there should only be a few Domain Admins (minimum of two). In a large organization this can be an absolute large number (i.e. 10 plus) but a very small relative number (10 supporting 100,000). Remember these people should be skilled, trusted individuals.
    3,310 pointsBadges:
    report
  • Guardian
    From what you seem to mean, is this one individual in a small organization? If there are a number of administrators then separation of duties applies especially if you have a number of servers (both physically or virtual). In a normal instance, each administrative user, should be assigned to the area of his job description or what he has been assigned to do in the IT Dept. Exchange Admin, Server Admin, Domain Admin, Backup Admin, Database admin some groups have permissions that take more precedence than the other. All this is from a technical aspect, before assigning the administrator to an application as well (accounting package, inventory packages). Now what governs the IT Dept is also essential, every IT Dept must have a strong IT Policy and this always must include repercussions for malicious practice both users and IT staff. A strong policy is a guide line on how IT Staff must operate like highlighted in earlier posts also auditing reports to the IT dept supervisor in most cases IT falls under finance (the great extramarital relationship) or if the organization is well structured an CIO. who can then be able to receive such filtered reports. Then be able to determine why someone is working within a specific area. Also Staff reporting, (weekly tasks, monthly tasks, Weekly summaries - Problems occurred, areas affected) Privacy policies (both users, IT Staff and senior management) All policies must be signed off by top management this gives it credibility..... But what matters is when you employ someone you must have some form of trust in his abilities and also character and this is solidified by his work ethics and performance on the job...
    900 pointsBadges:
    report
  • Labnuke99
    Simple answer: Trust but Verify. In other words, audit & confirm actions are appropriate. As mentioned previously, separation of duties is much more difficult in a small organization. A second/backup admin must be available/configured to ensure that the primary admin does not completely shut things down so they cannot be recovered/restored. Another way of saying this is "Have a backup & restore plan".
    32,960 pointsBadges:
    report
  • Chippy088
    I have a feeling you are missing something crucial. AD provides control and access permissions to use the network. As far as I am aware, it does not include application password to use sensitive applications, like financial packages, which should have their own passwords to allow authourised users to do their job. Network security and functionality should only be the responsibility of IT department. This should only be the physical devices and their connectivity. Installation of application software is under their control, and should only be done under the proper authorisation and requisition procedure. They need not be aware of how it is used, or by whom, unless it is their SLA. Departmental heads should be in control of user training and for setting access levels for the packages they use. Common sense should dictate that users who can authorise payments should not be allowed to authorise the purchase orders.
    4,625 pointsBadges:
    report
  • Nauthiz
    [...] How to tackle the security risk an IT administrator generates [...]
    0 pointsBadges:
    report
  • Nauthiz
    [...] How to tackle the security risk an IT administrator generates [...]
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following