Cyber security Group for - Cyber Team

golpemortal

golpemortal

Hi folks,

I am working on creating a Security group for Cyber Team - I 've been trying to remove their domain admins right and create a security group because I dont see a reason for Cyber having Domain Admins but I am poudering what kind of rights they should have when they can only read security log, Scan the network with Splunk and so on. But they only scan and review the data so I am kind of in need of your input on how can I approach this issues via security groups.

They are all upset with me because they dont want to lose their admin rights and for me that is a big risk.


Your thoughts...


Thank you Golpemortal.
 
We have a Cyber Security group within the DoD organization and I do not see the need for them to have Domain Admin as their job is to view the DC's security logs and scan the network with Splunk.... They do not need Domain admins right specially when they don't know anything about sysadmin. Unless you think they need Domain admins and do explain why. The only group in my case only System Administrators need Domain admins rights. I seen some cyber users that deleted entire volumes in the storage by mistake and I am trying to fix this very problem and Cyber group should not have Domain Admin right.... Too dangerous....
 
I frankly agree with SirDice on account of Windows administration.

But... for comparison with UNIX, root account is generally limited to the machine... and it's possible to organize/limit daemon accounts if they want to do admin tasks on other machines.

Using that same logic (Yep, credit to UNIX as the originator! :P ), I think that OP is on the right track to create a special group with limited permissions.

Nope, users are not gonna like losing privileges (even over egregious mistakes like deleting a whole share via lack of attention), so OP will need to get some backing from above before making a move. I hate getting political in a technical forum, but the lack of Best Practices is just flabbergasting. :/
 
ou’re right—Cyber teams don’t need Domain Admin rights. Follow least privilege:

Create a security group (e.g., Cyber-Security-Analysts) and give:

  • Read-only access to AD
  • Event Log Readers for log access
  • Splunk access via proper roles/service accounts
Use JIT/PAM for any temporary elevated access.

Explain to them it’s about reducing risk, not limiting their work—Domain Admin accounts are a major security target.
 
I just found out you can use openldap on freebsd & forward to Active Directory ... With all your FreeBSD stored in AD.
The inverse does not work, Microsoft always does "hostile takeovers" of "Standards".
 
golpemortal said:
They are all upset with me because they dont want to lose their admin rights and for me that is a big risk.
Click to expand...
If all they're doing is reading logs, they shouldn't be aware of even having admin rights, and shouldn't miss the permission if it's randomly revoked unless it was being misused (or in security-reduction context abused) for another non-log-reading purpose.

Non-security people shouldn't have feedback on a security measure (unless it hinders their task), and multiple accounts shouldn't be casually admin/root over a network without sane reason.
 
You must log in or register to reply here.
Back
Top