Hello,

First of all, I would like to say that it is really nice to see a forum dedicated to the subject of Active Directory security. This is obviously a very important area of security in Windows networks, so thank you for this.

Getting to my question now, I would like to know whether we should have some kind of policy in place that establishes some set of basic essential requirements that must be met before our admins acquire and deploy a variety of tools on their administrative machines.

The question was prompted by the fact that recently we had an admin who wanted to do some basic network analysis reporting, and so he found a free utility online, downloaded it and started using it. We did not know about it until we started seeing some unusual traffic patterns from his computer, and when we looked deeper, it was found that this free utility was built by some company in Romania, and that it might have been doing some additional things as well (without the admin's knowledge that is.)

This is really concerning to us, and so we are contemplating on establishing some basic set of standards/requirements that must be met before our admins can download and install any piece of software from the Internet. (The fact that they are admins too makes it a little hard to enforce our policies, but we at least would like to do whatever we can.)

I would welcome and be thankful for any ideas or suggestions that you might have in this regard. It is not that we do not trust our admins, it is just that they might trust a little too much in stuff available on the Internet, and we would just like to make it secure enough for them to download and unleash anything even potentially suspect or malicious in our internal environment, because as we all know, once malicious code hits your systems, it is virtually impossible to completely get rid of it. We think it is better to be safe than sorry.

Thank you in advance.
Hans