Home > Uncategorized > Who will baby sit the babysitters?

Who will baby sit the babysitters?

Not only is the above a quote from the 1991 album The Power of Lard I think it’s a central question for administrators.  Especially in small shops, where you have one person wearing many, at times conflicting, hats.

The point of reference:

I’m attending a SQL Skills immersion event this week in Chicago, and like any other training event or conference I think that much of the value in attending comes from the conversations and networking that happens afterhours.  Last night there were a group of us sitting in the hotel bar after dinner telling the stories that DBAs and admins in general tend to tell when socializing..

You know, the stupid things we’ve all done with our systems, the stupid things predecessors did with our systems that we inherited, and on and on.

As the evening progressed we started doing some brainstorming to help each other (and this is where you get your monies worth) solve either business problems or technical problems.

The situation:

The below is very high level –certainly not a step by step to get this setup.
 

Imagine that you are an Enterprise Admin in a small IT shop for a financial institute in Europe.  You have auditing requirements, but being in Europe, no legal requirement to have auditors on staff.   The dilemma is this.  How do you, as the Enterprise Admin over the AD forest audit yourself?  You have the ability to remove security audit logs so essentially could cover tracks if you were a nefarious EA, and aside from that, you are in a position of risk.  If the audits are brought into question, you are ultimately responsible.  You want to protect yourself in this situation.

So, this is essentially the situation that was brought up last night over beer and peanuts.   The seven of us present, with all of our different points of reference, experience levels, and knowledge of AD put our collective minds together and decided that the approach below is where to start.

Our Solution:

So, here you go, with no vetting, no technical research I present the output of social time with peers.

The first thing you want to do is get your CFO, CEO, CIO – whichever TLA is appropriate in your situation on board to be the account holder for your Enterprise Admin account.  The EA shouldn’t be his/her normal every day, get email, do work account – but they need to hold the password for this to work.  Once your TLA is willing to hold the credentials, setup that new EA account in AD, login as the new EA and remove that level of permissions from your own account.

Secondly, setup a second domain in your forest, with a one way trust.  Inside that domain you will need at least two machines – they could be workstations running server in all honesty.   No reason that they need to be server class machines.  They do need to be physical machines and not virtual though.

Those two machines will be your DCs and they will hold a distributed file share that you will be sending your security audit logs to.

Build your machines, setup your audit log shipping and have your TLA change the password on the EA account.  You could even do a two key type of solution, where each of you have half of the password – truly ensuring that your TLA won’t be tempted to just fix those pesky file permissions on their own, and you have assurance that there is always a second set of eyes on the work you are doing.

This scenario is likely full of holes, and certainly not tested, but I think it does show perfectly well the power of the whole brain you have access to at training and community events.

Advertisements
Categories: Uncategorized
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: