Creating a hidden administrator

[Guest]

I need to create a user object in active directory with complete
administrator rights and then hide that object from everyone (including
Administrator) with the exception of the owner of the company. I haven't
found a method for doing this. Any suggestions? Thanks

 

[Steven L Umbach]

I don't believe that is possible. You can change permissions on any AD
object such as a user and a user needs read permissions to see an object via
Active Directory but I believe that once every sixty minutes or so the
permissions would be refreshed to add the administrators group back with
default permissions. Besides there are other many other ways to enumerate
groups such as the [ net group "domain admins" ]. Bottom line is that
administrators must be trusted. There are ways such as file encryption that
can be used to deny even administrators access to a users data if done
correctly. Also it may make sense in certain cases to use physically secured
workgroup computers that are not a member of the domain if a user needs to
be isolated from domain admins. A non domain computer may still access
domain resources if needed as long as the user knows credentials to an
account in the domain and the resource computer does not have an ipsec
require policy assigned to it using kerberos as the computer authentication
method. --- Steve

 

[Guest]

Dear David,

technically it seems possible because i have chinese rootkit in my
collection of hacker tools (for security demonstrations in a virtual machine)
that is able to
hide itself from anything (filesystem, registry, Servicelist) just like the
hackerdefender rootkit.
In addition it is able to create a hidden user that can be made member of
the administrator group.

Of course you won´t be willing to use a rootkit from an untrusted source to
achieve your goal.

This security website (http://www.security.org.sg/code/index.html) gives
you a detailed insight to these hiding techniques work

As i said, there are ways to hide things like files, services , registry
entries and users by using special programming techniques to create some
services to intercept each request.

hope this helped a bit

Samir

I don't believe that is possible. You can change permissions on any AD
object such as a user and a user needs read permissions to see an object via
Active Directory but I believe that once every sixty minutes or so the
permissions would be refreshed to add the administrators group back with
default permissions. Besides there are other many other ways to enumerate
groups such as the [ net group "domain admins" ]. Bottom line is that
administrators must be trusted. There are ways such as file encryption that
can be used to deny even administrators access to a users data if done
correctly. Also it may make sense in certain cases to use physically secured
workgroup computers that are not a member of the domain if a user needs to
be isolated from domain admins. A non domain computer may still access
domain resources if needed as long as the user knows credentials to an
account in the domain and the resource computer does not have an ipsec
require policy assigned to it using kerberos as the computer authentication
method. --- Steve

I need to create a user object in active directory with complete
administrator rights and then hide that object from everyone (including
Administrator) with the exception of the owner of the company. I haven't
found a method for doing this. Any suggestions? Thanks