Admin Access to IT Auditor?

5 pts.
Domain Administrator
IT auditing
The IT auditor is asking for domain admin access to perform various IT audits during the year. Is there a reason they would need this? Also, is there a way to give read-only admin access - across windows, UNIX etc? Thanks

Answer Wiki

Thanks. We'll let you know when a new response is added.

In dealing with previous security audits, that’s normally an account they would request. They would have 3 tactics at the account level (null account, regular user account, and a domain admin account). The lower accounts are doing penetration type audits to see for example a server is secure from a visitor (dull account) and domain user (regular user account). The admin accounts test the password security of your user environment, audits hard-coded server for patches, etc.

Discuss This Question: 3  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Sonotsky
    IMHO, the answer to this question depends on whether the auditor in question is an employee of your organization, or an external auditor/consultant. If the former, I would ask that they submit some kind of paperwork, authorized by their manager and hopefully yours (or your information security officer). That way, should things go sideways, you're not held liable. If the latter, never, ever give any credentials out. In my audits, the auditors are free to sit with me, request that I perform various tasks, take notes, request screenshots (scrubbed where necessary to obfuscate proprietary or confidential details (details of client records, IPs, URLs, things of that nature). The fact that they're asking might be an underhanded way of testing access controls. Hope that helps.
    695 pointsBadges:
  • Troy Tate
    The account should be set with an expiration date and monitoring so that their activities can be tracked also. The other alternative is to have a security manager run the reports in a read-only format (PDF or screenshots) for the auditor's use.
    0 pointsBadges:
  • Kevin Beaver
    This is something I do all the time in my security assessments...I have my clients setup test accounts that expire after a certain period. I also remind them to disable those accounts when I'm done. Take Sonotsky's latter route and you nor your auditor are going to get what you need. It's just too impractical. If there's mistrust or paranoia involved, perhaps you can look over the auditor's shoulder. Something that'll last for an hour or so at best until the auditor proves his trust and value...and because you have better things to be doing.
    27,525 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: