| Author | Messages | |
Bitzie
Posts:251
 | | 06/09/2010 8:41 PM |
| Active Directory Install at DHS Questioned | threatpost:
http://threatpost.com/en_us/blogs/active-directory-install-dhs-questioned-060910
IG Questions DHS Execution of Active Directory:
http://www.govinfosecurity.com/articles.php?art_id=2623&rf=2010-06-09-eg
| | | |
| RickSheikh
Posts:373
| | 06/09/2010 9:04 PM |
| Not much info in the article regarding the failed audit from the public
report.
On Wed, Jun 9, 2010 at 2:38 PM, Susan Bradley <susan@sbslinks.com> wrote:
> Active Directory Install at DHS Questioned | threatpost:
>
> http://threatpost.com/en_us/blogs/active-directory-install-dhs-questioned-060910
>
> IG Questions DHS Execution of Active Directory:
> http://www.govinfosecurity.com/articles.php?art_id=2623&rf=2010-06-09-eg
>
>
>
>
| | | |
| RickSheikh
Posts:373
| | 06/09/2010 9:10 PM |
| Here is the actual report
http://www.dhs.gov/xoig/assets/mgmtrpts/OIG_10-86_May10.pdf
On Wed, Jun 9, 2010 at 3:03 PM, Rick Sheikh <ricksheikh@gmail.com> wrote:
> Not much info in the article regarding the failed audit from the public
> report.
>
>
> On Wed, Jun 9, 2010 at 2:38 PM, Susan Bradley <susan@sbslinks.com> wrote:
>
>> Active Directory Install at DHS Questioned | threatpost:
>>
>> http://threatpost.com/en_us/blogs/active-directory-install-dhs-questioned-060910
>>
>> IG Questions DHS Execution of Active Directory:
>> http://www.govinfosecurity.com/articles.php?art_id=2623&rf=2010-06-09-eg
>>
>>
>>
>>
>
| | | |
| fitzstewart
Posts:13
| | 06/09/2010 9:56 PM |
| Thanks for digging this up Rick. I don't like it when security people who
don't know AD talk about AD security. From my reading of this doc, its
clear that the authors aren't familiar with the function of AD, AD security,
and the security impact of things like cross forest trusts. There of course
may be more there than what's in the report, but at least get the technology
correct..
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Rick Sheikh
Sent: Wednesday, June 09, 2010 4:09 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Active Directory Install at DHS Questioned
Here is the actual report
http://www.dhs.gov/xoig/assets/mgmtrpts/OIG_10-86_May10.pdf
On Wed, Jun 9, 2010 at 3:03 PM, Rick Sheikh <ricksheikh@gmail.com> wrote:
Not much info in the article regarding the failed audit from the public
report.
On Wed, Jun 9, 2010 at 2:38 PM, Susan Bradley <susan@sbslinks.com> wrote:
Active Directory Install at DHS Questioned | threatpost:
http://threatpost.com/en_us/blogs/active-directory-install-dhs-questioned-06
0910
IG Questions DHS Execution of Active Directory:
http://www.govinfosecurity.com/articles.php?art_id=2623
<http://www.govinfosecurity.com/articles.php?art_id=2623&rf=2010-06-09-eg>
&rf=2010-06-09-eg
| | | |
| jamesawells
Posts:79
| | 06/09/2010 10:00 PM |
| The original link specifically mentioned security levels -- i.e. patching or
security controls. Reading between the lines, it just sounds like DCs
weren't being patched.
Not that hard to imagine...the Domain Admins won't give any rights to a
bunch of 2003 DCs to the patch team (or the government contractor
responsible for patches). So DCs have to be patched manually. They fall
behind. Audit catches it.
--James
On Wed, Jun 9, 2010 at 4:53 PM, Fitz Stewart <fitz_stewart@hotmail.com>wrote:
> Thanks for digging this up Rick. I don’t like it when security people
> who don’t know AD talk about AD security. From my reading of this doc, its
> clear that the authors aren’t familiar with the function of AD, AD security,
> and the security impact of things like cross forest trusts. There of course
> may be more there than what’s in the report, but at least get the technology
> correct….
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Rick Sheikh
> *Sent:* Wednesday, June 09, 2010 4:09 PM
> *To:* activedir@mail.activedir.org
> *Subject:* Re: [ActiveDir] Active Directory Install at DHS Questioned
>
>
>
> Here is the actual report
>
> http://www.dhs.gov/xoig/assets/mgmtrpts/OIG_10-86_May10.pdf
>
> On Wed, Jun 9, 2010 at 3:03 PM, Rick Sheikh <ricksheikh@gmail.com> wrote:
>
> Not much info in the article regarding the failed audit from the public
> report.
>
>
>
> On Wed, Jun 9, 2010 at 2:38 PM, Susan Bradley <susan@sbslinks.com> wrote:
>
> Active Directory Install at DHS Questioned | threatpost:
>
> http://threatpost.com/en_us/blogs/active-directory-install-dhs-questioned-060910
>
> IG Questions DHS Execution of Active Directory:
> http://www.govinfosecurity.com/articles.php?art_id=2623&rf=2010-06-09-eg
>
>
>
>
>
>
| | | |
| upacrk1
Posts:0
| | 06/09/2010 10:21 PM |
| You won't find specifics there either. No sense giving away vulnerabilities to the bad guys.  I suspect that the US of A government and its various departments are
Microsoft's largest customers. It seems that the DHS (and several of the other domains) have a big enough responsibility that they would contract out to one of MS's top security teams to do some checking before an audit takes place. The local TAMs (Microsoft Technical Account Managers) should push for that. It might even be part of the annual contract.
Mike Thommes
________________________________
From: Rick Sheikh <ricksheikh@gmail.com>
To: activedir@mail.activedir.org
Sent: Wed, June 9, 2010 3:09:22 PM
Subject: Re: [ActiveDir] Active Directory Install at DHS Questioned
Here is the actual report
http://www.dhs.gov/xoig/assets/mgmtrpts/OIG_10-86_May10.pdf
On Wed, Jun 9, 2010 at 3:03 PM, Rick Sheikh <ricksheikh@gmail.com> wrote:
Not much info in the article regarding the failed audit from the public report.
>
>
>
>On Wed, Jun 9, 2010 at 2:38 PM, Susan Bradley <susan@sbslinks.com> wrote:
>
>Active Directory Install at DHS Questioned | threatpost:
>>http://threatpost.com/en_us/blogs/active-directory-install-dhs-questioned-060910
>>
>>>>IG Questions DHS Execution of Active Directory:
>>http://www.govinfosecurity.com/articles.php?art_id=2623&rf=2010-06-09-eg
>>
>>
>>
>>
>
| | | |
| fitzstewart
Posts:13
| | 06/10/2010 1:05 AM |
| Yes, and the comments in the appendix suggest that an earlier draft didn't
distinguish between AD as a patching tool and AD as authn/authz for the
patching tool. What really bugs me though is the author's suggestion that a
trust and a compromise on one side of a trust (they appear to be two-way
trusts) means a compromise on the other side of the trust. The forest is a
security boundary - a compromise - even of DA on one side of a trust doesn't
mean a compromise on the other.
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of James Wells
Sent: Wednesday, June 09, 2010 4:59 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Active Directory Install at DHS Questioned
The original link specifically mentioned security levels -- i.e. patching or
security controls. Reading between the lines, it just sounds like DCs
weren't being patched.
Not that hard to imagine...the Domain Admins won't give any rights to a
bunch of 2003 DCs to the patch team (or the government contractor
responsible for patches). So DCs have to be patched manually. They fall
behind. Audit catches it.
--James
On Wed, Jun 9, 2010 at 4:53 PM, Fitz Stewart <fitz_stewart@hotmail.com>
wrote:
Thanks for digging this up Rick. I don't like it when security people who
don't know AD talk about AD security. From my reading of this doc, its
clear that the authors aren't familiar with the function of AD, AD security,
and the security impact of things like cross forest trusts. There of course
may be more there than what's in the report, but at least get the technology
correct..
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Rick Sheikh
Sent: Wednesday, June 09, 2010 4:09 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Active Directory Install at DHS Questioned
Here is the actual report
http://www.dhs.gov/xoig/assets/mgmtrpts/OIG_10-86_May10.pdf
On Wed, Jun 9, 2010 at 3:03 PM, Rick Sheikh <ricksheikh@gmail.com> wrote:
Not much info in the article regarding the failed audit from the public
report.
On Wed, Jun 9, 2010 at 2:38 PM, Susan Bradley <susan@sbslinks.com> wrote:
Active Directory Install at DHS Questioned | threatpost:
http://threatpost.com/en_us/blogs/active-directory-install-dhs-questioned-06
0910
IG Questions DHS Execution of Active Directory:
http://www.govinfosecurity.com/articles.php?art_id=2623
<http://www.govinfosecurity.com/articles.php?art_id=2623&rf=2010-06-09-eg>
&rf=2010-06-09-eg
| | | |
| rkaramchand
Posts:76
| | 06/10/2010 1:17 PM |
| Here are major contractor
http://www.dhs.gov/xlibrary/assets/opnbiz/OSDBU-DHS_Prime_Contractors_List.pdf
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Fitz Stewart
Sent: Wednesday, June 09, 2010 8:04 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory Install at DHS Questioned
Yes, and the comments in the appendix suggest that an earlier draft didn't distinguish between AD as a patching tool and AD as authn/authz for the patching tool. What really bugs me though is the author's suggestion that a trust and a compromise on one side of a trust (they appear to be two-way trusts) means a compromise on the other side of the trust. The forest is a security boundary - a compromise - even of DA on one side of a trust doesn't mean a compromise on the other.
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of James Wells
Sent: Wednesday, June 09, 2010 4:59 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Active Directory Install at DHS Questioned
The original link specifically mentioned security levels -- i.e. patching or security controls. Reading between the lines, it just sounds like DCs weren't being patched.
Not that hard to imagine...the Domain Admins won't give any rights to a bunch of 2003 DCs to the patch team (or the government contractor responsible for patches). So DCs have to be patched manually. They fall behind. Audit catches it.
--James
On Wed, Jun 9, 2010 at 4:53 PM, Fitz Stewart <fitz_stewart@hotmail.com<mailto:fitz_stewart@hotmail.com>> wrote:
Thanks for digging this up Rick. I don't like it when security people who don't know AD talk about AD security. From my reading of this doc, its clear that the authors aren't familiar with the function of AD, AD security, and the security impact of things like cross forest trusts. There of course may be more there than what's in the report, but at least get the technology correct....
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Rick Sheikh
Sent: Wednesday, June 09, 2010 4:09 PM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: Re: [ActiveDir] Active Directory Install at DHS Questioned
Here is the actual report
http://www.dhs.gov/xoig/assets/mgmtrpts/OIG_10-86_May10.pdf
On Wed, Jun 9, 2010 at 3:03 PM, Rick Sheikh <ricksheikh@gmail.com<mailto:ricksheikh@gmail.com>> wrote:
Not much info in the article regarding the failed audit from the public report.
On Wed, Jun 9, 2010 at 2:38 PM, Susan Bradley <susan@sbslinks.com<mailto:susan@sbslinks.com>> wrote:
Active Directory Install at DHS Questioned | threatpost:
http://threatpost.com/en_us/blogs/active-directory-install-dhs-questioned-060910
IG Questions DHS Execution of Active Directory:
http://www.govinfosecurity.com/articles.php?art_id=2623&rf=2010-06-09-eg
| | | |
| barkills
Posts:201
| | 06/10/2010 5:28 PM |
| I didn't read the suggestion you are saying is there in the report. Might you call out which page it is on?
The specific problems cited were:
patching on a few systems
use of a protocol deemed insecure on a few systems
lack of regular audit mechanisms of security policies (so the above problems are caught and self-corrected)
There are unclear allusions to active directory. James' suggestion that maybe some DCs weren't patched (or extending that suggestion that they were talking a protocol deemed insecure) would make those allusions make more sense. There's also an element of using AD for security configuration of systems, and I'd bet that the report is suggesting that they get their group policy settings across the dozen domains into alignment with their security policy.
I don't really read anything specifically against two-way trusts or the number of trusts. Near the beginning there's quite a bit of fuzzy language about connecting to DHS systems via trusts, but it doesn't seem to me that the trusts themselves are the focal point--instead the point is that if a system can connect to DHS data and can handle DHS credentials, then that system should be following DHS security policy. And since the domains themselves represent individual departments within DHS, I thought it was pretty clear that they are saying that all the departments need to get with the DHS security program.
Frankly, this audit isn't really that exciting. Seems really mundane actually, aside from the fact that it's about Homeland Security.
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Fitz Stewart
Sent: Wednesday, June 09, 2010 5:04 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory Install at DHS Questioned
Yes, and the comments in the appendix suggest that an earlier draft didn't distinguish between AD as a patching tool and AD as authn/authz for the patching tool. What really bugs me though is the author's suggestion that a trust and a compromise on one side of a trust (they appear to be two-way trusts) means a compromise on the other side of the trust. The forest is a security boundary - a compromise - even of DA on one side of a trust doesn't mean a compromise on the other.
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of James Wells
Sent: Wednesday, June 09, 2010 4:59 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Active Directory Install at DHS Questioned
The original link specifically mentioned security levels -- i.e. patching or security controls. Reading between the lines, it just sounds like DCs weren't being patched.
Not that hard to imagine...the Domain Admins won't give any rights to a bunch of 2003 DCs to the patch team (or the government contractor responsible for patches). So DCs have to be patched manually. They fall behind. Audit catches it.
--James
On Wed, Jun 9, 2010 at 4:53 PM, Fitz Stewart <fitz_stewart@hotmail.com<mailto:fitz_stewart@hotmail.com>> wrote:
Thanks for digging this up Rick. I don't like it when security people who don't know AD talk about AD security. From my reading of this doc, its clear that the authors aren't familiar with the function of AD, AD security, and the security impact of things like cross forest trusts. There of course may be more there than what's in the report, but at least get the technology correct....
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Rick Sheikh
Sent: Wednesday, June 09, 2010 4:09 PM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: Re: [ActiveDir] Active Directory Install at DHS Questioned
Here is the actual report
http://www.dhs.gov/xoig/assets/mgmtrpts/OIG_10-86_May10.pdf
On Wed, Jun 9, 2010 at 3:03 PM, Rick Sheikh <ricksheikh@gmail.com<mailto:ricksheikh@gmail.com>> wrote:
Not much info in the article regarding the failed audit from the public report.
On Wed, Jun 9, 2010 at 2:38 PM, Susan Bradley <susan@sbslinks.com<mailto:susan@sbslinks.com>> wrote:
Active Directory Install at DHS Questioned | threatpost:
http://threatpost.com/en_us/blogs/active-directory-install-dhs-questioned-060910
IG Questions DHS Execution of Active Directory:
http://www.govinfosecurity.com/articles.php?art_id=2623&rf=2010-06-09-eg
| | | |
|
|