F
Franz Schenk
The following question is in a Windows 2003 server environnement, but there
is no Windows 2003 server security NG, so I post the question here (is in
W2K probably the same problem):
We have a parent domain "parent.com" and a child domain "child.parent.com".
The CEO of the child domain asked me if members (including administrators)
can access data in the child domain by default. According to Microsoft, a
domain is a security boundary and I told that access to data in
"child.parent.com" for members of "parent.com" must explicitely granted.
No I saw that the "Enterprise Admins" group of the parent domain is
automatically member of every domain administators local group in every
domain in the forest! So if you intend to grant access to data to the local
administrators group, members of the "enterprise admin" group can
automatically access this data.
This is unacceptable for the CEO of the child domain. Is it possible, and
what are the consequences, when we remove the "enterprise admins" group form
the local administrators group in the child domain? (We also run an Exchange
2003 installation which organisation spans the parent and child domain). We
have seen, that on member servers, the "Enterprise Admin" group is not
automatically member of the local administrators group, but there is
sensitive data on the domain controllers.
Thanks in advance for any help or links to MS documents about this subject.
Franz
is no Windows 2003 server security NG, so I post the question here (is in
W2K probably the same problem):
We have a parent domain "parent.com" and a child domain "child.parent.com".
The CEO of the child domain asked me if members (including administrators)
can access data in the child domain by default. According to Microsoft, a
domain is a security boundary and I told that access to data in
"child.parent.com" for members of "parent.com" must explicitely granted.
No I saw that the "Enterprise Admins" group of the parent domain is
automatically member of every domain administators local group in every
domain in the forest! So if you intend to grant access to data to the local
administrators group, members of the "enterprise admin" group can
automatically access this data.
This is unacceptable for the CEO of the child domain. Is it possible, and
what are the consequences, when we remove the "enterprise admins" group form
the local administrators group in the child domain? (We also run an Exchange
2003 installation which organisation spans the parent and child domain). We
have seen, that on member servers, the "Enterprise Admin" group is not
automatically member of the local administrators group, but there is
sensitive data on the domain controllers.
Thanks in advance for any help or links to MS documents about this subject.
Franz