Ever wish there was a way to tear down the absolute power granted to Domain Admins or Root users? Do you wish that there was a way that with even these godlike users, you could prevent them from accessing highly-secured security log data, or restrict their access to applications, or even prevent them from peering into financial information they shouldn't have access to?

It is possible, but not with Microsoft's native tools. I wrote a series of white papers for CA called the Cost of Doing Nothing series. In this series I talk about some of the problems with Identity and Access Management, and how not incorporating enterprise-quality tools can actually be a cost to the organization.

Only now is the first of these being released to the public. From this first paper, titled Superuser Containment, learn a bit about the problems of containing those nasty superusers and why you should care about their access:

What Are Superuser Privileges and Why Should You Care?

The idea of "superuser privileges" encompasses those with the highest level of access in the network OS. For individual Microsoft Windows systems, that user is Administrator. For Microsoft Windows systems connected into an Active Directory (AD) domain, the Domain Administrator account is added to the list. For many Linux and UNIX systems, the user is root.

One of the biggest problems with these accounts is with their native architecture. In the UNIX world, the only user with default superuser privileges is the root account. To complete a system-level task in UNIX, the operator must login with their standard credentials and elevate themselves to root. This means that the root user along with its password is often shared among all administrators performing administrative duties. A similar problem is true in Microsoft Windows where Windows administrators use their Domain Administrator-level permissions as their standard login.

The sharing of these top-level accesses is in violation of the computing principle of least privilege, which is "the computing concept of access or functionality within an operating system whereby a user or program is granted minimum possible privileges to permit an action. In doing so, the operating system as a whole is not exposed to unwarranted or excessive actions that may cause damage or promote further negative actions"( Source: http://en.wikipedia.org/wiki/Least_privilege). The native architecture of these OSs provides complete and total access to the superuser. The superuser can effectively perform any action on any data object within that superuser's scope of management. Thus, sensitive, classified, or inappropriate information housed within the superuser's network is automatically and always available to the superuser--whether they should have access to that information or not.

The rest of the paper continues on with the problem and identifies why not incorporating the right solutions can really hurt your organization. Get your copy here (registration required).