Please read

  • Thread starter Thread starter Michael
  • Start date Start date
M

Michael

All,

This may seem inappropriate but my butt is on the line, so
please read on.

I have 2 developers who have domain admin rights in a
windows 2000 environment. I discovered on Friday that
these 2 have been creating a VPN tunnel to another
companies network and having several machines on that
network interact with one of our machines on the internal
network.

I escalated this issue to our collective supervisor. I
know what his response was and I also know what mine was.

I can guarantee that there is going to be a big turf war
over this one and so I seek your oppinions.

Does this have the potential to become a large security
issue?

Thanks all.
 
In my opinion any connection to an unknown network is a security issue and you
have to take into consideration the risk of virus/trojan infection from another
network It may be appropriate to do such a thing, only after it has been
approved by those in charge of the network with specific procedures layed out to
protect the network which may involve isolating a server like that from the rest
of your network and have if properly protected possibly by a firewall to limit
traffic to specific ports from specific ip addresses. Maybe these guys should
not be domain administrators either, possibly adding their accounts to local
administrator group on necessary servers to them would suffice. --- Steve
 
Does the term industrial espionage mean anything to you??
it would to the FBI...I suggest you terminate this
connection ASAP. Oh yeah, the security issues are starting
to boil over this one! Not to mention future job prospects!
 
This is a risk that an administrator should NEVER assume.

In my opinion, your developers must not to have domain
administrative rigths, at least in your production
environment.
If needed, provide them a paralel, testing environment
where they do whatever they want. Believe me, if you do
this, your real production environment will thank you.

As much, in the production environment, give them admin
rigths over their local computers, not over the domain,
but do this ONLY if you have no choices.

Finally, think that every guy with admin rigths in your
domain can supplant the correct domain/enterprise
administrator/s (i suppose this is you).

Regards.

Julio González.
 
Back
Top