Results 1 to 11 of 11

Thread: Can the domain controller spy on domain members?

  1. #1
    Junior Member
    Join Date
    Nov 2005
    Posts
    21

    Can the domain controller spy on domain members?

    Can someone please enlighten me on whether pcs in a Windows domain are really secure.

    Can the domain controller gain access to domain members, for example to run programs or to view what is being done on the member pc, using tool such as vnc or windows remote desktop.

    I always thought that the member pc can switch off remote access, and tools like vnc needed the administrator account password to work. Can the domain controller still gain access to domain members in some way, using these network access programs, trust relationships or whatever?

  2. #2
    Old and Cranky Super Moderator rik's Avatar
    Join Date
    Aug 2003
    Location
    Watching Your every move...
    Posts
    4,638
    If you are a "member" of a domain, and assuming that the domain is setup as it should be, then the Administrator has all the power and can do as He\She sees fit on that domain.

  3. #3
    Junior Member
    Join Date
    Nov 2005
    Posts
    21
    How does the domain controller view the activity on a domain member, rik?

  4. #4
    Friendly Neighborhood Super Moderator phishhead's Avatar
    Join Date
    Apr 2002
    Location
    San Diego, Ca.
    Posts
    3,622
    yes all you have to do is login to that workstation with domain admin rights and do whatever you want, access your hard drive, remote into your registry and you dont even know. as far as you know your pc is alittle sluggish. I do it all day long. then with active directory you can really restrict what people can read, access, execute on the network.



  5. #5
    Security Intelligence TZ Veteran cash_site's Avatar
    Join Date
    Jul 2002
    Location
    Software Paradise
    Posts
    3,735
    Quote Originally Posted by acc1 View Post
    How does the domain controller view the activity on a domain member, rik?
    What are some of the activities you wish to hide from DController? There may be stealth modes

    --- 0wN3D by 3gG ---

  6. #6
    Junior Member
    Join Date
    Nov 2005
    Posts
    21
    Quote Originally Posted by phishhead View Post
    yes all you have to do is login to that workstation with domain admin rights and do whatever you want, access your hard drive, remote into your registry and you dont even know. as far as you know your pc is alittle sluggish. I do it all day long. then with active directory you can really restrict what people can read, access, execute on the network.
    The person using the member computer will not be aware of the domain controller logging in, but is there no record on the member computer, say in the event log, of the controller's log in?

    Quote Originally Posted by cash_site View Post
    What are some of the activities you wish to hide from DController? There may be stealth modes
    It's not so much a matter of having activities to hide from the domain controller, more a case of the right to privacy and knowing what surveillance can be done.

    Employees using computers at work obviously need to be monitored as they are using corporation computers and should not be doing anything illegal so as to compromise the corporation in any way.

    However employees also have their rights to privacy.

    Where for example the employees have permission to use their computers outside working hours to use the internet and to read their personal emails, I think it's fair enough for the corporation to log the sites visited and copy any emails sent.

    Where I draw the line is non-disclosed surveillance using the domain administrator, which I believe is probably illegal and certainly unethical. I am asking how this can be done, and whether it can be avoided. Can these stealth modes avoid big brother's use of remote desktop or vnc or whatever to look at the domain member desktop as it is being used?
    Last edited by acc1; July 17th, 2006 at 22:36 PM.

  7. #7
    Old and Cranky Super Moderator rik's Avatar
    Join Date
    Aug 2003
    Location
    Watching Your every move...
    Posts
    4,638
    It's not so much a matter of having activities to hide from the domain controller, more a case of the right to privacy and knowing what surveillance can be done.

    Employees using computers at work obviously need to be monitored as they are using corporation computers and should not be doing anything illegal so as to compromise the corporation in any way.

    However employees also have their rights to privacy.

    Where for example the employees have permission to use their computers outside working hours to use the internet and to read their personal emails, I think it's fair enough for the corporation to log the sites visited and copy any emails sent
    If this is on a "corporate provided" machine, then there is no right to privacy. They outline how you can use the system and possibly their internet resources but never assume that there is any privacy as it is their machine.

    If this is on a computer that is yours and you use it also on your own home network, that is a different story. But if the computer is theirs, then it is theirs...

    They can 007 that machine as they see fit.

  8. #8
    The Beast Master TZ Veteran PIPER's Avatar
    Join Date
    May 2002
    Location
    Florida
    Posts
    1,168
    Ditto to ....walk softly dood....

  9. #9
    Security Intelligence TZ Veteran cash_site's Avatar
    Join Date
    Jul 2002
    Location
    Software Paradise
    Posts
    3,735
    Yes, all employees sign an 'I accept whatever the IT department say' form when they're hired... detailing all monitoring. If u dont like it, then dont use it, err... that way

    Im doing system wide testing atm, and i use a MMC utility that runs many RDP at once across the domain... it has an option to just 'view' not interact, and cannot be detected, unless the user goes to TaskManager and 'users' tab... but we've disabled access to that

    --- 0wN3D by 3gG ---

  10. #10
    Junior Member
    Join Date
    Nov 2005
    Posts
    21

    Thanks

    Thanks folks. I'll certainly take your good advice.

    However, it's not a simple matter, as it's not necessarily the 'responsible' people within the IT department doing the surveillance.

    In any big organisation other people get to know the domain controller administrator password. This means that even if it were possible to detect any surreptitious access, from the machine slowing down, or unexpected mouse movements, or a new user showing in task manager, etc, it would be impossible to know the perpetrator or legality of the monitoring.

  11. #11
    Succeded in braking Windo TZ Veteran Dehcbad25's Avatar
    Join Date
    Apr 2002
    Location
    DE - USA
    Posts
    2,366
    Late post, but if what you post here is in effect
    However, it's not a simple matter, as it's not necessarily the 'responsible' people within the IT department doing the surveillance.
    then it is not a matter of privacy. If the admin is not doing its job right, or what is often more common than not, management does not place the proper importance, and give the reources then it is a much bigger issue that privacy.
    I am a network administrator myself, and I can tell you it is not easy to keep a network secure, in good shape and monitor. Probably the most difficult is to monitor. There is no way I have time to check what 100 users are doing on their PC. But, what I do care, is if they are streaming media that clogs the network, and honestely, even if I see a high usage, I don't know exactly what the user is seeing or listening (I can know the web site).
    However, the domain controller will not spy, it is more an issue of the user (administrator or not). Also, in a domain the administrator account should not be used (it should even be disabled) but that is something more for the IT department. If you are not happy with their policy you should brought it up formally with them. As pointed out, you don't have a right to privacy using the work resources, and you will never win that case, even when the company allows you to use the computer for personal stuff. Work hours are not related at all, so using as a base of checking personal email off hours won't get you anywhere either.
    That said, most companies aren't that strict since it tends to get in the way of productivity (happy users, happy company) and most won't pry in your personal information. The main point is that they are legally allowed, and can do it without your consent, as it is the same with any public computer.
    Finally, let me correct one more time this point
    In any big organisation other people get to know the domain controller administrator password. This means that even if it were possible to detect any surreptitious access, from the machine slowing down, or unexpected mouse movements, or a new user showing in task manager, etc, it would be impossible to know the perpetrator or legality of the monitoring.
    Not, in no big company other people get to know the administrator password. In big companies scalation of priviledges are used, and the administrator for the domain might be disabled. Also, new users showing in the task manager could be for programs running automatically. Slow down is usually a user caused problem (too many windows, spyware, etc), unexpected mouse movements could be a dirty mouse, weak wireless connection of the mouse, or cross connection from wireless mouse.
    For VNC the icon changes to black status, and think about how much can you really monitor using VNC. VNC is often used more for troubleshooting without having to go to the desk. Remote desktop will log out the current user, since there is only 1 license for logged in user, unless you want to purchase terminal licences (and then why would you use VNC, as I think is cash example), and still needs access to the computer to run. VNC also uses a password, and it has nothing to do with the domain controller.
    After this long......long .....long writting.. there is to reflect upon a couple of things:
    1) what are your feelings about the remote access monitoring (like it, don't mind it, don't like it)
    2) what are your feelings about who is doing the monitoring (system administrators, management, other people)
    3) what is your overral feeling of the security of the network (other people have admin rights? You don't know who can do what?)
    At least at my work I would be happy to answer this questions if you come with the list. My main policy is thaty being honest and forward with the user helps the network. I am a user myself, regardless of being the administrator. Don't let other admins feel above the user because that is a mayor mistake.
    i.e. Users have to log in the computer with domain users right, meaning they cannot install programs, printers, etc. Well, I do the same, as well as the whole deparment, because not knowing the hardship of users makes a weak IT staffing. Programmers program in the same enviroment, and thus making sure the program works in restricted user enviroment. How do I manage the network? Well, I use run as and other tools. How do I enforce people not to log in with admin rights? hehe, I restrict the use of Outlook and email if you have admin rights. Internet explorer won't work, and since email and Internet are the main tools here, I completely desmotivate even the IT deparment to use admin rights
    If you have the unsecured feelings about your network, I would be more afraid of having the network hacked than being monitored, and this is told by a user that surfers online for personal stuff, listen to mp3, and uses his work pc for gaming *cough* I meant work.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •