| Author | Messages | |
rmscheck
Posts:245
 | | 06/11/2010 7:08 PM |
| Ok, so I'm tinkering with an 2K8 R2 RODC... I only have one user in
default Allow RODC PR Group. A basic user, the one that was used to
promote the RODC via delegated rights.
As it stands by default, an actual Domain Admin can login to this
RODC. Not good, right? The way I understand it, the password wont
be cached for this DA, but he shows as one whose "Accounts thave have
been authenticated to this RODC". What are the security implications
there? I imagine, the RODC proxied the authentication to its
upstream RWDC and let the DA log into the RODC.
How do we prevent this from happening?
Is this bad?
I also see the upstream RWDC in the same list, "Accounts thave have
been authenticated to this RODC"... is that typical?
-Rand
| | | |
| kevinrjames
Posts:35
| | 06/11/2010 10:42 PM |
| As designed. What security implications are you concerned about and why
would you want to (try) prevent this from happening?
/kj
> -----Original Message-----
> From: activedir-owner@mail.activedir.org [mailto:activedir-
> owner@mail.activedir.org] On Behalf Of Rand Salazar
> Sent: Friday, June 11, 2010 11:06 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] RODC Authentication and Caching Huh!
>
> Ok, so I'm tinkering with an 2K8 R2 RODC... I only have one user in
> default Allow RODC PR Group. A basic user, the one that was used to
> promote the RODC via delegated rights.
>
> As it stands by default, an actual Domain Admin can login to this
> RODC. Not good, right? The way I understand it, the password wont
> be cached for this DA, but he shows as one whose "Accounts thave have
> been authenticated to this RODC". What are the security implications
> there? I imagine, the RODC proxied the authentication to its
> upstream RWDC and let the DA log into the RODC.
>
> How do we prevent this from happening?
> Is this bad?
>
> I also see the upstream RWDC in the same list, "Accounts thave have
> been authenticated to this RODC"... is that typical?
>
> -Rand
Sent to activedir@mail.activedir.org from Kevin R. James
Virus scanned by GFI MailSecurity 11/6/2010
| | | |
| bdesmond
Posts:977
| | 06/12/2010 2:20 AM |
| The premise is that the Rodc is always compromised so you login as a
DA and give away your creds. Personally I think this is a people
problem not a technical one. If you want to break it though I'd use a
login script that logs this and then logs you out or perhaps a gpo
denying the group rights to login.
Brian Desmond from my phone
On Jun 11, 2010, at 4:42 PM, "Kevin R. James" <Kevin@jameses.net> wrote:
> As designed. What security implications are you concerned about and
> why
> would you want to (try) prevent this from happening?
>
> /kj
>
>> -----Original Message-----
>> From: activedir-owner@mail.activedir.org [mailto:activedir-
>> owner@mail.activedir.org] On Behalf Of Rand Salazar
>> Sent: Friday, June 11, 2010 11:06 AM
>> To: ActiveDir@mail.activedir.org
>> Subject: [ActiveDir] RODC Authentication and Caching Huh!
>>
>> Ok, so I'm tinkering with an 2K8 R2 RODC... I only have one user in
>> default Allow RODC PR Group. A basic user, the one that was used to
>> promote the RODC via delegated rights.
>>
>> As it stands by default, an actual Domain Admin can login to this
>> RODC. Not good, right? The way I understand it, the password wont
>> be cached for this DA, but he shows as one whose "Accounts thave have
>> been authenticated to this RODC". What are the security implications
>> there? I imagine, the RODC proxied the authentication to its
>> upstream RWDC and let the DA log into the RODC.
>>
>> How do we prevent this from happening?
>> Is this bad?
>>
>> I also see the upstream RWDC in the same list, "Accounts thave have
>> been authenticated to this RODC"... is that typical?
>>
>> -Rand
>
>
> Sent to activedir@mail.activedir.org from Kevin R. James
>
> Virus scanned by GFI MailSecurity 11/6/2010
>
>
>
>
| | | |
| rmscheck
Posts:245
| | 06/12/2010 1:06 PM |
| I guess I'm trying to determine whats the technical difference of two
settings ..
1) Accounts whose passwords are stored on this Read-only Domain
Controllerand VS 2) Accounts thave have been authenticated to this
RODC
One states the password is actually stored in that RODCs database..
the other just says this RODC authenticated you. #1 is easier to wrap
my head around.. #2 is there any password storage? or is this just
an indicator that at some point this DC had to proxy the auth request
for a user that came through here? In which case for #2, Brian's
point is clear......
Why would I see the RWDC listed in option #2? Does that means
someone logged on the RODC and then accessed the RWDC from it (remote
mmc tools, etc)? Or rather was it someone on the RWDC accessed the
RODC.
Thanks all..
On Fri, Jun 11, 2010 at 8:18 PM, Brian Desmond <brian@briandesmond.com> wrote:
> The premise is that the Rodc is always compromised so you login as a
> DA and give away your creds. Personally I think this is a people
> problem not a technical one. If you want to break it though I'd use a
> login script that logs this and then logs you out or perhaps a gpo
> denying the group rights to login.
>
> Brian Desmond from my phone
>
> On Jun 11, 2010, at 4:42 PM, "Kevin R. James" <Kevin@jameses.net> wrote:
>
>> As designed. What security implications are you concerned about and
>> why
>> would you want to (try) prevent this from happening?
>>
>> /kj
>>
>>> -----Original Message-----
>>> From: activedir-owner@mail.activedir.org [mailto:activedir-
>>> owner@mail.activedir.org] On Behalf Of Rand Salazar
>>> Sent: Friday, June 11, 2010 11:06 AM
>>> To: ActiveDir@mail.activedir.org
>>> Subject: [ActiveDir] RODC Authentication and Caching Huh!
>>>
>>> Ok, so I'm tinkering with an 2K8 R2 RODC... I only have one user in
>>> default Allow RODC PR Group. A basic user, the one that was used to
>>> promote the RODC via delegated rights.
>>>
>>> As it stands by default, an actual Domain Admin can login to this
>>> RODC. Not good, right? The way I understand it, the password wont
>>> be cached for this DA, but he shows as one whose "Accounts thave have
>>> been authenticated to this RODC". What are the security implications
>>> there? I imagine, the RODC proxied the authentication to its
>>> upstream RWDC and let the DA log into the RODC.
>>>
>>> How do we prevent this from happening?
>>> Is this bad?
>>>
>>> I also see the upstream RWDC in the same list, "Accounts thave have
>>> been authenticated to this RODC"... is that typical?
>>>
>>> -Rand
>>
>>
>> Sent to activedir@mail.activedir.org from Kevin R. James
>>
>> Virus scanned by GFI MailSecurity 11/6/2010
>>
>>
>>
>>
>
>
| | | |
| Thomas Vuylsteke
Posts:207
| | 06/12/2010 1:57 PM |
| If I'm correct the "Accounts that have been authenticated to this RODC" collection/view is to find out who has been authentication to that RODC. So you can find out which passwords accounts you should add to the "allow pw to be cached" group. If the RWDC does sysvol replication or something alike I can imagine it will have to authenticate to the RODC and as such will appear as well.
I think you're supposed to add all users/their computers to the "Accounts whose passwords are stored on this Read-only Domain Controller" group.
P.S. I got no real life RODC experience, this is all theoretical.
Regards,
Thomas Vuylsteke
http://setspn.blogspot.com
-----Original Message-----
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Rand Salazar
Sent: zaterdag 12 juni 2010 14:05
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] RODC Authentication and Caching Huh!
Sensitivity: Confidential
I guess I'm trying to determine whats the technical difference of two settings ..
1) Accounts whose passwords are stored on this Read-only Domain Controllerand VS 2) Accounts thave have been authenticated to this RODC
One states the password is actually stored in that RODCs database..
the other just says this RODC authenticated you. #1 is easier to wrap
my head around.. #2 is there any password storage? or is this just
an indicator that at some point this DC had to proxy the auth request for a user that came through here? In which case for #2, Brian's point is clear......
Why would I see the RWDC listed in option #2? Does that means
someone logged on the RODC and then accessed the RWDC from it (remote
mmc tools, etc)? Or rather was it someone on the RWDC accessed the
RODC.
Thanks all..
On Fri, Jun 11, 2010 at 8:18 PM, Brian Desmond <brian@briandesmond.com> wrote:
> The premise is that the Rodc is always compromised so you login as a
> DA and give away your creds. Personally I think this is a people
> problem not a technical one. If you want to break it though I'd use a
> login script that logs this and then logs you out or perhaps a gpo
> denying the group rights to login.
>
> Brian Desmond from my phone
>
> On Jun 11, 2010, at 4:42 PM, "Kevin R. James" <Kevin@jameses.net> wrote:
>
>> As designed. What security implications are you concerned about and
>> why would you want to (try) prevent this from happening?
>>
>> /kj
>>
>>> -----Original Message-----
>>> From: activedir-owner@mail.activedir.org [mailto:activedir-
>>> owner@mail.activedir.org] On Behalf Of Rand Salazar
>>> Sent: Friday, June 11, 2010 11:06 AM
>>> To: ActiveDir@mail.activedir.org
>>> Subject: [ActiveDir] RODC Authentication and Caching Huh!
>>>
>>> Ok, so I'm tinkering with an 2K8 R2 RODC... I only have one user in
>>> default Allow RODC PR Group. A basic user, the one that was used to
>>> promote the RODC via delegated rights.
>>>
>>> As it stands by default, an actual Domain Admin can login to this
>>> RODC. Not good, right? The way I understand it, the password wont
>>> be cached for this DA, but he shows as one whose "Accounts thave
>>> have been authenticated to this RODC". What are the security
>>> implications there? I imagine, the RODC proxied the authentication
>>> to its upstream RWDC and let the DA log into the RODC.
>>>
>>> How do we prevent this from happening?
>>> Is this bad?
>>>
>>> I also see the upstream RWDC in the same list, "Accounts thave have
>>> been authenticated to this RODC"... is that typical?
>>>
>>> -Rand
>>
>>
>> Sent to activedir@mail.activedir.org from Kevin R. James
>>
>> Virus scanned by GFI MailSecurity 11/6/2010
>>
>>
>>
>>
>
>
| | | |
| Thomas Vuylsteke
Posts:207
| | 06/12/2010 2:27 PM |
| I think you're supposed to add all users/their computers to the "Accounts whose passwords are stored on this Read-only Domain Controller" group.
-> euh ofcourse only those of the remote site... not just plainly all users/computers 
-----Original Message-----
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Thomas Vuylsteke
Sent: zaterdag 12 juni 2010 14:54
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] RODC Authentication and Caching Huh!
Sensitivity: Confidential
If I'm correct the "Accounts that have been authenticated to this RODC" collection/view is to find out who has been authentication to that RODC. So you can find out which passwords accounts you should add to the "allow pw to be cached" group. If the RWDC does sysvol replication or something alike I can imagine it will have to authenticate to the RODC and as such will appear as well.
I think you're supposed to add all users/their computers to the "Accounts whose passwords are stored on this Read-only Domain Controller" group.
P.S. I got no real life RODC experience, this is all theoretical.
Regards,
Thomas Vuylsteke
http://setspn.blogspot.com
-----Original Message-----
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Rand Salazar
Sent: zaterdag 12 juni 2010 14:05
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] RODC Authentication and Caching Huh!
Sensitivity: Confidential
I guess I'm trying to determine whats the technical difference of two settings ..
1) Accounts whose passwords are stored on this Read-only Domain Controllerand VS 2) Accounts thave have been authenticated to this RODC
One states the password is actually stored in that RODCs database..
the other just says this RODC authenticated you. #1 is easier to wrap
my head around.. #2 is there any password storage? or is this just
an indicator that at some point this DC had to proxy the auth request for a user that came through here? In which case for #2, Brian's point is clear......
Why would I see the RWDC listed in option #2? Does that means
someone logged on the RODC and then accessed the RWDC from it (remote
mmc tools, etc)? Or rather was it someone on the RWDC accessed the
RODC.
Thanks all..
On Fri, Jun 11, 2010 at 8:18 PM, Brian Desmond <brian@briandesmond.com> wrote:
> The premise is that the Rodc is always compromised so you login as a
> DA and give away your creds. Personally I think this is a people
> problem not a technical one. If you want to break it though I'd use a
> login script that logs this and then logs you out or perhaps a gpo
> denying the group rights to login.
>
> Brian Desmond from my phone
>
> On Jun 11, 2010, at 4:42 PM, "Kevin R. James" <Kevin@jameses.net> wrote:
>
>> As designed. What security implications are you concerned about and
>> why would you want to (try) prevent this from happening?
>>
>> /kj
>>
>>> -----Original Message-----
>>> From: activedir-owner@mail.activedir.org [mailto:activedir-
>>> owner@mail.activedir.org] On Behalf Of Rand Salazar
>>> Sent: Friday, June 11, 2010 11:06 AM
>>> To: ActiveDir@mail.activedir.org
>>> Subject: [ActiveDir] RODC Authentication and Caching Huh!
>>>
>>> Ok, so I'm tinkering with an 2K8 R2 RODC... I only have one user in
>>> default Allow RODC PR Group. A basic user, the one that was used to
>>> promote the RODC via delegated rights.
>>>
>>> As it stands by default, an actual Domain Admin can login to this
>>> RODC. Not good, right? The way I understand it, the password wont
>>> be cached for this DA, but he shows as one whose "Accounts thave
>>> have been authenticated to this RODC". What are the security
>>> implications there? I imagine, the RODC proxied the authentication
>>> to its upstream RWDC and let the DA log into the RODC.
>>>
>>> How do we prevent this from happening?
>>> Is this bad?
>>>
>>> I also see the upstream RWDC in the same list, "Accounts thave have
>>> been authenticated to this RODC"... is that typical?
>>>
>>> -Rand
>>
>>
>> Sent to activedir@mail.activedir.org from Kevin R. James
>>
>> Virus scanned by GFI MailSecurity 11/6/2010
>>
>>
>>
>>
>
>
| | | |
| bdesmond
Posts:977
| | 06/12/2010 5:33 PM |
| >If I'm correct the "Accounts that have been authenticated to this RODC" collection/view is to find out who has been authentication to that RODC. So you can find out which passwords accounts you
>should add to the "allow pw to be cached" group. If the RWDC does sysvol replication or something alike I can imagine it will have to authenticate to the RODC and as such will appear as well.
That's correct
>I think you're supposed to add all users/their computers to the "Accounts whose passwords are stored on this Read-only Domain Controller" group.
It's a good indicator but not necessarily necessary. You might have someone who roamed to that site once or a high risk account or something on the A2 list but not someone you want to cache.
I've seen customers use site based groups which are fed by provisioning systems to populate the caching policy before.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
-----Original Message-----
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Thomas Vuylsteke
Sent: Saturday, June 12, 2010 7:54 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] RODC Authentication and Caching Huh!
Sensitivity: Confidential
If I'm correct the "Accounts that have been authenticated to this RODC" collection/view is to find out who has been authentication to that RODC. So you can find out which passwords accounts you should add to the "allow pw to be cached" group. If the RWDC does sysvol replication or something alike I can imagine it will have to authenticate to the RODC and as such will appear as well.
I think you're supposed to add all users/their computers to the "Accounts whose passwords are stored on this Read-only Domain Controller" group.
P.S. I got no real life RODC experience, this is all theoretical.
Regards,
Thomas Vuylsteke
http://setspn.blogspot.com
-----Original Message-----
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Rand Salazar
Sent: zaterdag 12 juni 2010 14:05
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] RODC Authentication and Caching Huh!
Sensitivity: Confidential
I guess I'm trying to determine whats the technical difference of two settings ..
1) Accounts whose passwords are stored on this Read-only Domain Controllerand VS 2) Accounts thave have been authenticated to this RODC
One states the password is actually stored in that RODCs database..
the other just says this RODC authenticated you. #1 is easier to wrap
my head around.. #2 is there any password storage? or is this just
an indicator that at some point this DC had to proxy the auth request for a user that came through here? In which case for #2, Brian's point is clear......
Why would I see the RWDC listed in option #2? Does that means
someone logged on the RODC and then accessed the RWDC from it (remote
mmc tools, etc)? Or rather was it someone on the RWDC accessed the
RODC.
Thanks all..
On Fri, Jun 11, 2010 at 8:18 PM, Brian Desmond <brian@briandesmond.com> wrote:
> The premise is that the Rodc is always compromised so you login as a
> DA and give away your creds. Personally I think this is a people
> problem not a technical one. If you want to break it though I'd use a
> login script that logs this and then logs you out or perhaps a gpo
> denying the group rights to login.
>
> Brian Desmond from my phone
>
> On Jun 11, 2010, at 4:42 PM, "Kevin R. James" <Kevin@jameses.net> wrote:
>
>> As designed. What security implications are you concerned about and
>> why would you want to (try) prevent this from happening?
>>
>> /kj
>>
>>> -----Original Message-----
>>> From: activedir-owner@mail.activedir.org [mailto:activedir-
>>> owner@mail.activedir.org] On Behalf Of Rand Salazar
>>> Sent: Friday, June 11, 2010 11:06 AM
>>> To: ActiveDir@mail.activedir.org
>>> Subject: [ActiveDir] RODC Authentication and Caching Huh!
>>>
>>> Ok, so I'm tinkering with an 2K8 R2 RODC... I only have one user in
>>> default Allow RODC PR Group. A basic user, the one that was used to
>>> promote the RODC via delegated rights.
>>>
>>> As it stands by default, an actual Domain Admin can login to this
>>> RODC. Not good, right? The way I understand it, the password wont
>>> be cached for this DA, but he shows as one whose "Accounts thave
>>> have been authenticated to this RODC". What are the security
>>> implications there? I imagine, the RODC proxied the authentication
>>> to its upstream RWDC and let the DA log into the RODC.
>>>
>>> How do we prevent this from happening?
>>> Is this bad?
>>>
>>> I also see the upstream RWDC in the same list, "Accounts thave have
>>> been authenticated to this RODC"... is that typical?
>>>
>>> -Rand
>>
>>
>> Sent to activedir@mail.activedir.org from Kevin R. James
>>
>> Virus scanned by GFI MailSecurity 11/6/2010
>>
>>
>>
>>
>
>
| | | |
| kevinrjames
Posts:35
| | 06/14/2010 6:45 PM |
| In either case the creds have already been "given away" as
authenticated. Difference is cred stored locally or not.
The delegated "admin" (Managed by) owns the box anyway. Don't need a DA
/kj
> -----Original Message-----
> From: activedir-owner@mail.activedir.org [mailto:activedir-
> owner@mail.activedir.org] On Behalf Of Brian Desmond
> Sent: Friday, June 11, 2010 6:18 PM
> To: <activedir@mail.activedir.org>
> Subject: Re: [ActiveDir] RODC Authentication and Caching Huh!
>
> The premise is that the Rodc is always compromised so you login as a
> DA and give away your creds. Personally I think this is a people
> problem not a technical one. If you want to break it though I'd use a
> login script that logs this and then logs you out or perhaps a gpo
> denying the group rights to login.
>
> Brian Desmond from my phone
>
> On Jun 11, 2010, at 4:42 PM, "Kevin R. James" <Kevin@jameses.net>
> wrote:
>
> > As designed. What security implications are you concerned about and
> > why
> > would you want to (try) prevent this from happening?
> >
> > /kj
> >
> >> -----Original Message-----
> >> From: activedir-owner@mail.activedir.org [mailto:activedir-
> >> owner@mail.activedir.org] On Behalf Of Rand Salazar
> >> Sent: Friday, June 11, 2010 11:06 AM
> >> To: ActiveDir@mail.activedir.org
> >> Subject: [ActiveDir] RODC Authentication and Caching Huh!
> >>
> >> Ok, so I'm tinkering with an 2K8 R2 RODC... I only have one user
in
> >> default Allow RODC PR Group. A basic user, the one that was used
to
> >> promote the RODC via delegated rights.
> >>
> >> As it stands by default, an actual Domain Admin can login to this
> >> RODC. Not good, right? The way I understand it, the password
wont
> >> be cached for this DA, but he shows as one whose "Accounts thave
> have
> >> been authenticated to this RODC". What are the security
> implications
> >> there? I imagine, the RODC proxied the authentication to its
> >> upstream RWDC and let the DA log into the RODC.
> >>
> >> How do we prevent this from happening?
> >> Is this bad?
> >>
> >> I also see the upstream RWDC in the same list, "Accounts thave have
> >> been authenticated to this RODC"... is that typical?
> >>
> >> -Rand
> >
> >
> > Sent to activedir@mail.activedir.org from Kevin R. James
> >
> > Virus scanned by GFI MailSecurity 11/6/2010
> >
> >
> >
> >
Sent to activedir@mail.activedir.org from Kevin R. James
Virus scanned by GFI MailSecurity 14/6/2010
| | | |
| kevinrjames
Posts:35
| | 06/14/2010 6:53 PM |
| And the Deny list(s) needs to be considered as well. Each RODC can have it's own Allow/Deny list or use the default Domain "global-ish" ones.
"Authenticated to this rodc" is just informative. Allowed/Deny determines if the password can be cached (on *this* rodc) or not.
/kj
> -----Original Message-----
> From: activedir-owner@mail.activedir.org [mailto:activedir-
> owner@mail.activedir.org] On Behalf Of Thomas Vuylsteke
> Sent: Saturday, June 12, 2010 6:26 AM
> To: activedir@mail.activedir.org
> Subject: RE: [ActiveDir] RODC Authentication and Caching Huh!
> Sensitivity: Confidential
>
> I think you're supposed to add all users/their computers to the
> "Accounts whose passwords are stored on this Read-only Domain
> Controller" group.
>
> -> euh ofcourse only those of the remote site... not just plainly all
> users/computers
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org [mailto:activedir-
> owner@mail.activedir.org] On Behalf Of Thomas Vuylsteke
> Sent: zaterdag 12 juni 2010 14:54
> To: activedir@mail.activedir.org
> Subject: RE: [ActiveDir] RODC Authentication and Caching Huh!
> Sensitivity: Confidential
>
> If I'm correct the "Accounts that have been authenticated to this RODC"
> collection/view is to find out who has been authentication to that
> RODC. So you can find out which passwords accounts you should add to
> the "allow pw to be cached" group. If the RWDC does sysvol replication
> or something alike I can imagine it will have to authenticate to the
> RODC and as such will appear as well.
>
> I think you're supposed to add all users/their computers to the
> "Accounts whose passwords are stored on this Read-only Domain
> Controller" group.
>
> P.S. I got no real life RODC experience, this is all theoretical.
>
> Regards,
> Thomas Vuylsteke
> http://setspn.blogspot.com
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org [mailto:activedir-
> owner@mail.activedir.org] On Behalf Of Rand Salazar
> Sent: zaterdag 12 juni 2010 14:05
> To: activedir@mail.activedir.org
> Subject: Re: [ActiveDir] RODC Authentication and Caching Huh!
> Sensitivity: Confidential
>
> I guess I'm trying to determine whats the technical difference of two
> settings ..
>
> 1) Accounts whose passwords are stored on this Read-only Domain
> Controllerand VS 2) Accounts thave have been authenticated to this RODC
>
> One states the password is actually stored in that RODCs database..
> the other just says this RODC authenticated you. #1 is easier to wrap
> my head around.. #2 is there any password storage? or is this just
> an indicator that at some point this DC had to proxy the auth request
> for a user that came through here? In which case for #2, Brian's point
> is clear......
>
> Why would I see the RWDC listed in option #2? Does that means
> someone logged on the RODC and then accessed the RWDC from it (remote
> mmc tools, etc)? Or rather was it someone on the RWDC accessed the
> RODC.
>
> Thanks all..
>
>
> On Fri, Jun 11, 2010 at 8:18 PM, Brian Desmond <brian@briandesmond.com>
> wrote:
> > The premise is that the Rodc is always compromised so you login as a
> > DA and give away your creds. Personally I think this is a people
> > problem not a technical one. If you want to break it though I'd use a
> > login script that logs this and then logs you out or perhaps a gpo
> > denying the group rights to login.
> >
> > Brian Desmond from my phone
> >
> > On Jun 11, 2010, at 4:42 PM, "Kevin R. James" <Kevin@jameses.net>
> wrote:
> >
> >> As designed. What security implications are you concerned about and
> >> why would you want to (try) prevent this from happening?
> >>
> >> /kj
> >>
> >>> -----Original Message-----
> >>> From: activedir-owner@mail.activedir.org [mailto:activedir-
> >>> owner@mail.activedir.org] On Behalf Of Rand Salazar
> >>> Sent: Friday, June 11, 2010 11:06 AM
> >>> To: ActiveDir@mail.activedir.org
> >>> Subject: [ActiveDir] RODC Authentication and Caching Huh!
> >>>
> >>> Ok, so I'm tinkering with an 2K8 R2 RODC... I only have one user
> in
> >>> default Allow RODC PR Group. A basic user, the one that was used
> to
> >>> promote the RODC via delegated rights.
> >>>
> >>> As it stands by default, an actual Domain Admin can login to this
> >>> RODC. Not good, right? The way I understand it, the password
> wont
> >>> be cached for this DA, but he shows as one whose "Accounts thave
> >>> have been authenticated to this RODC". What are the security
> >>> implications there? I imagine, the RODC proxied the
> authentication
> >>> to its upstream RWDC and let the DA log into the RODC.
> >>>
> >>> How do we prevent this from happening?
> >>> Is this bad?
> >>>
> >>> I also see the upstream RWDC in the same list, "Accounts thave have
> >>> been authenticated to this RODC"... is that typical?
> >>>
> >>> -Rand
> >>
> >>
> >> Sent to activedir@mail.activedir.org from Kevin R. James
> >>
> >> Virus scanned by GFI MailSecurity 11/6/2010
> >>
> >>
> >>
> >>
> >
> >
>
>
Sent to activedir@mail.activedir.org from Kevin R. James
Virus scanned by GFI MailSecurity 14/6/2010
| | | |
|
|