| Author | Messages | |
AD00000453
Posts:0
 | | 09/20/2005 8:59 AM |
| I have a contractor
in a remote site. There is only 1 server in that site which is a
DC.
He needs to
administer that server.
-Create
shares
-Make file/share
permissions
-Change user
passwords in the User OU for that site.
He is not allowed to
log on to any other server is the domain.
When I make him a
"Server Operator" he can logon to any server in the domain.
Any idea on how to
lock him down to that one server and then how to lock him down on that one OU
where he should only be allowed to change the passwords of the
users.
Thanks!
Fred | | | |
| kamleshap
Posts:26
| | 09/21/2005 1:33 AM |
| For changing NTFS permission, directly give him FULL CONTROL rights over a particular folder, and ask him to create everything inside that.
3) restricting to specific OU
You can use delegation wizard in ADUC console to give his user id rights to manage that OU.
Kamlesh-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~"Fortune and Love befriend the bold"~~~~~~~~~~~~~~~~~~~~~~~~~~~
On 9/21/05, van Donk, Fred wrote:
I have a contractor in a remote site. There is only 1 server in that site which is a DC.
He needs to administer that server.
-Create shares
-Make file/share permissions
-Change user passwords in the User OU for that site.
He is not allowed to log on to any other server is the domain.
When I make him a "Server Operator" he can logon to any server in the domain.
Any idea on how to lock him down to that one server and then how to lock him down on that one OU where he should only be allowed to change the passwords of the users.
Thanks!
Fred | | | |
| hcoleman
Posts:26
| | 09/21/2005 1:45 AM |
| Fred-
This is not possible. While you can make it more difficult
for the user to do things you don't want him to, if you give him either physical
access to the DC or the ability to log on to the DC, he is in a position to
elevate his permissions to the point of owning your forest.
If you can move the files and shares to another machine,
then restricting him to only be able to change passwords within a particular OU
is easy by either setting the OU security directly or going through the
Delegation of Control Wizard.
Hunter
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of van Donk,
FredSent: Tuesday, September 20, 2005 2:52 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] Domain Controller
Security
I have a contractor
in a remote site. There is only 1 server in that site which is a
DC.
He needs to
administer that server.
-Create
shares
-Make file/share
permissions
-Change user
passwords in the User OU for that site.
He is not allowed to
log on to any other server is the domain.
When I make him a
"Server Operator" he can logon to any server in the domain.
Any idea on how to
lock him down to that one server and then how to lock him down on that one OU
where he should only be allowed to change the passwords of the
users.
Thanks!
Fred | | | |
| kamleshap
Posts:26
| | 09/21/2005 2:07 AM |
| Ultimately, choice is yours, as well the consequences.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~"Fortune and Love befriend the bold"~~~~~~~~~~~~~~~~~~~~~~~~~~~
On 9/21/05, Kamlesh Parmar wrote:
1) Restricting his login to that particular DC
I would suggest, creating a group policy in which you add that user id in "allow logon locally" and "allow logon through terminal services" user rights.
And making sure that this Policy applies to that DC only, by "security filtering" on group policy.
NOTE: make sure you remove authenticated users from security filtering
2) Allowing him to share/ change NTFS permission
AFAIK, user should have "Power Users" rights to share any folder. but there are no local group on DC, where you can give him that right. you can only make him member of Power Users group on domain, which defeats the purpose of restricting him to that DC only.
For changing NTFS permission, directly give him FULL CONTROL rights over a particular folder, and ask him to create everything inside that.
3) restricting to specific OU
You can use delegation wizard in ADUC console to give his user id rights to manage that OU.
Kamlesh-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~"Fortune and Love befriend the bold"~~~~~~~~~~~~~~~~~~~~~~~~~~~
On 9/21/05, van Donk, Fred wrote:
I have a contractor in a remote site. There is only 1 server in that site which is a DC.
He needs to administer that server.
-Create shares
-Make file/share permissions
-Change user passwords in the User OU for that site.
He is not allowed to log on to any other server is the domain.
When I make him a "Server Operator" he can logon to any server in the domain.
Any idea on how to lock him down to that one server and then how to lock him down on that one OU where he should only be allowed to change the passwords of the users.
Thanks!
Fred | | | |
| AD00000928
Posts:0
| | 09/21/2005 11:57 AM |
| That sounds dangerous.
If you give him access to that server, particularly local logon
access, you might as well just put him in the Enterprise Admin group
and save both of you a few moments of work.
-ASB
FAST, CHEAP, SECURE: Pick Any TWO
http://www.ultratech-llc.com/KB/
On 9/20/05, van Donk, Fred wrote:
> I have a contractor in a remote site. There is only 1 server in that site
> which is a DC.
>
> He needs to administer that server.
> -Create shares
> -Make file/share permissions
> -Change user passwords in the User OU for that site.
>
> He is not allowed to log on to any other server is the domain.
>
> When I make him a "Server Operator" he can logon to any server in the
> domain.
>
> Any idea on how to lock him down to that one server and then how to lock him
> down on that one OU where he should only be allowed to change the passwords
> of the users.
>
> Thanks!
> Fred
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| listmail
Posts:428
| | 09/22/2005 2:49 AM |
| Look through the archives.
The short answer is... "Just don't do it". You can't
possibly secure this regardless of what anyone says. If someone says it can be
made safe, stop asking them technical questions about Domain Controllers and
Active Directory.
Either you trust the person or you don't. If you don't
trust the person, then don't put the person in a position to show you the
meaning of screwed.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of van Donk, FredSent: Tuesday, September 20, 2005
4:52 PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject:
[ActiveDir] Domain Controller Security
I have a contractor
in a remote site. There is only 1 server in that site which is a
DC.
He needs to
administer that server.
-Create
shares
-Make file/share
permissions
-Change user
passwords in the User OU for that site.
He is not allowed to
log on to any other server is the domain.
When I make him a
"Server Operator" he can logon to any server in the domain.
Any idea on how to
lock him down to that one server and then how to lock him down on that one OU
where he should only be allowed to change the passwords of the
users.
Thanks!
Fred | | | |
| AD00000453
Posts:0
| | 09/22/2005 3:17 AM |
| Thanks all for your replies. Joe: I got you loud and clear
and agree.
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
joeSent: Thursday, September 22, 2005 10:10 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Domain
Controller Security
Look through the archives.
The short answer is... "Just don't do it". You can't
possibly secure this regardless of what anyone says. If someone says it can be
made safe, stop asking them technical questions about Domain Controllers and
Active Directory.
Either you trust the person or you don't. If you don't
trust the person, then don't put the person in a position to show you the
meaning of screwed.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of van Donk, FredSent: Tuesday, September 20, 2005
4:52 PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject:
[ActiveDir] Domain Controller Security
I have a contractor
in a remote site. There is only 1 server in that site which is a
DC.
He needs to
administer that server.
-Create
shares
-Make file/share
permissions
-Change user
passwords in the User OU for that site.
He is not allowed to
log on to any other server is the domain.
When I make him a
"Server Operator" he can logon to any server in the domain.
Any idea on how to
lock him down to that one server and then how to lock him down on that one OU
where he should only be allowed to change the passwords of the
users.
Thanks!
Fred | | | |
| prenouf
Posts:1
| | 09/22/2005 3:58 AM |
| As joe just said: don't do this.
Phil
On 9/22/05, Mark.H.Lunsford@xxxxxx wrote:
You might consider a lower level OU under the Domain Controllers OU with a different GPO that grants him local logon to just that DC.
Thank You ! And have a nice day !**************************************************************Mark LunsfordKAISER PERMANENTESecurity OperationsRemedy Group: NOPS SECURITY EDOS SYS
Direct Manager: Bud FurrowEmail: Mark.H.Lunsford@xxxxxxOutside Phone: 925-926-5898Tie Line Phone: 8-473-5898
C ell: 925-200-4077**************************************************************
"Gil Kirkpatrick"
Sent by: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
09/21/2005 05:03 PM
Please respond toActiveDir@xxxxxxxxxxxxxxxxxx
To
cc
Subject
RE: [ActiveDir] Domain Controller Security
Yes, untrusted admin + DC logon access = no more security.If you're trying to lock him down, then you can't give him access to the
DC. Can you give him a member server for the file shares and justdelegate the password administraion on the OU?-g-----Original Message-----From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of ASB
Sent: Wednesday, September 21, 2005 4:53 PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] Domain Controller Security
That sounds dangerous.If you give him access to that server, particularly local logonaccess, you might as well just put him in the Enterprise Admin groupand save both of you a few moments of work.
-ASBFAST, CHEAP, SECURE: Pick Any TWOhttp://www.ultratech-llc.com/KB/On 9/20/05, van Donk, Fred wrote:> I have a contractor in a remote site. There is only 1 server in that
site> which is a DC.>> He needs to administer that server.> -Create shares> -Make file/share permissions> -Change user passwords in the User OU for that site.>> He is not allowed to log on to any other server is the domain.
>> When I make him a "Server Operator" he can logon to any server in the> domain.>> Any idea on how to lock him down to that one server and then how tolock him> down on that one OU where he should only be allowed to change the
passwords> of the users.>> Thanks!> FredList info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspxList archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspxList archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| gideona
Posts:1
| | 09/22/2005 4:40 AM |
| The only thing to do is to make him an admin of that site, or better yet make that site a child domain and make him a domain admin of that child domain. I know from experience that using a DC as anything but a DC is a freakin pain in the ass, my predecessor set a DC up as a print/file server and another as a SQL server (finally able to demote that one now, soon hopefully). But my citrix profiles are on the domain controller, and after months of trying to set delegation up properly in AD and setting up permissions in the appropriate folders on the DC, the only way I was able to get my Helpdesk admin set up to create accounts with my scripts so that I didn't have to do it was to make him a domain admin. My company is too damn cheap to get me another server to put the citrix profiles somewhere else. Oh yeah, and its an app server for network install of office (can you feel my pain).
So, if there is only one server in the site and its a DC, the only way to get him to do anything is to make him a domain admin (make it a child domain so he can't climb up the tree)
Gideon Ashcraft
Network Admin
Screen Actors Guildct: RE: [ActiveDir] Domain Controller Security
Look through the archives.
The short answer is... "Just don't do it". You can't possibly secure this regardless of what anyone says. If someone says it can be made safe, stop asking them technical questions about Domain Controllers and Active Directory.
Either you trust the person or you don't. If you don't trust the person, then don't put the person in a position to show you the meaning of screwed.
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of van Donk, FredSent: Tuesday, September 20, 2005 4:52 PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] Domain Controller Security
I have a contractor in a remote site. There is only 1 server in that site which is a DC.
He needs to administer that server.
-Create shares
-Make file/share permissions
-Change user passwords in the User OU for that site.
He is not allowed to log on to any other server is the domain.
When I make him a "Server Operator" he can logon to any server in the domain.
Any idea on how to lock him down to that one server and then how to lock him down on that one OU where he should only be allowed to change the passwords of the users.
Thanks!
Fred
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| aricbernard
Posts:2
| | 09/22/2005 5:38 AM |
| Allow me to logon to any DC in any domain
and I will own your entire Forest.
Allow me access to the console of any DC
in any domain (assuming I can use a USB port or floppy drive) even without an
account that allows me to logon locally and I will own your entire Forest.
The point, as Joe so eloquently phrased
it, is Just don™t do it! The forest is the security
boundary, and if someone can compromise a single DC regardless of domain they
can own your forest.
Aric
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Gideon Ashcraft
Sent: Thursday, September 22, 2005
8:54 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Domain
Controller Security
The only thing to do is to make him an admin of that site, or better
yet make that site a child domain and make him a domain admin of that child
domain. I know from experience that using a DC as anything but a DC is a
freakin pain in the ass, my predecessor set a DC up as a print/file server and
another as a SQL server (finally able to demote that one now, soon hopefully).
But my citrix profiles are on the domain controller, and after months of trying
to set delegation up properly in AD and setting up permissions in the
appropriate folders on the DC, the only way I was able to get my Helpdesk admin
set up to create accounts with my scripts so that I didn't have to do it was to
make him a domain admin. My company is too damn cheap to get me another server
to put the citrix profiles somewhere else. Oh yeah, and its an app server for
network install of office (can you feel my pain).
So, if there is only one server in the site and its a DC, the only
way to get him to do anything is to make him a domain admin (make it a child
domain so he can't climb up the tree)
Gideon Ashcraft
Network Admin
Screen Actors Guild
ct: RE: [ActiveDir] Domain Controller Security
Look
through the archives.
The short answer is... "Just don't do
it". You can't possibly secure this regardless of what anyone says. If
someone says it can be made safe, stop asking them technical questions about
Domain Controllers and Active Directory.
Either you trust the person or you don't.
If you don't trust the person, then don't put the person in a position to show
you the meaning of screwed.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of van Donk, Fred
Sent: Tuesday, September 20, 2005
4:52 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Domain
Controller Security
I have a contractor in a remote site. There is only 1 server
in that site which is a DC.
He needs to administer that server.
-Create shares
-Make file/share permissions
-Change user passwords in the User OU for that site.
He is not allowed to log on to any other server is the
domain.
When I make him a "Server Operator" he can logon
to any server in the domain.
Any idea on how to lock him down to that one server and then
how to lock him down on that one OU where he should only be allowed to change
the passwords of the users.
Thanks!
Fred
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| prenouf
Posts:1
| | 09/22/2005 5:51 AM |
| The only thing to do is to make him an admin of that site, or better yet make that site a child domain and make him a domain admin of that child domain. I know from experience that using a DC as anything but a DC is a freakin pain in the ass, my predecessor set a DC up as a print/file server and another as a SQL server (finally able to demote that one now, soon hopefully). But my citrix profiles are on the domain controller, and after months of trying to set delegation up properly in AD and setting up permissions in the appropriate folders on the DC, the only way I was able to get my Helpdesk admin set up to create accounts with my scripts so that I didn't have to do it was to make him a domain admin. My company is too damn cheap to get me another server to put the citrix profiles somewhere else. Oh yeah, and its an app server for network install of office (can you feel my pain).
So, if there is only one server in the site and its a DC, the only way to get him to do anything is to make him a domain admin (make it a child domain so he can't climb up the tree)
Gideon Ashcraft
Network Admin
Screen Actors Guildct: RE: [ActiveDir] Domain Controller Security
Look through the archives.
The short answer is... "Just don't do it". You can't possibly secure this regardless of what anyone says. If someone says it can be made safe, stop asking them technical questions about Domain Controllers and Active Directory.
Either you trust the person or you don't. If you don't trust the person, then don't put the person in a position to show you the meaning of screwed.
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of van Donk, FredSent:
Tuesday, September 20, 2005 4:52 PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject:
[ActiveDir] Domain Controller Security
I have a contractor in a remote site. There is only 1 server in that site which is a DC.
He needs to administer that server.
-Create shares
-Make file/share permissions
-Change user passwords in the User OU for that site.
He is not allowed to log on to any other server is the domain.
When I make him a "Server Operator" he can logon to any server in the domain.
Any idea on how to lock him down to that one server and then how to lock him down on that one OU where he should only be allowed to change the passwords of the users.
Thanks!
Fred
List info : http://www.activedir.org/List.aspx List FAQ :
http://www.activedir.org/ListFAQ.aspx List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| deji
Posts:132
| | 09/22/2005 6:13 AM |
| >>>make it a child domain so he can't climb up the tree
Not only will (s)he be able to run up the tree, (s)he will own the tree, the
leaves, the bushes, the grasses, and, for that matter, the forest.
The Domain is NOT a security boundary. It is an administrative boundary.
Service administrators have the ability to cross domain boundaries within a
forest.
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Gideon Ashcraft
Sent: Thu 9/22/2005 8:53 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Domain Controller Security
The only thing to do is to make him an admin of that site, or better yet make
that site a child domain and make him a domain admin of that child domain. I
know from experience that using a DC as anything but a DC is a freakin pain
in the ass, my predecessor set a DC up as a print/file server and another as
a SQL server (finally able to demote that one now, soon hopefully). But my
citrix profiles are on the domain controller, and after months of trying to
set delegation up properly in AD and setting up permissions in the
appropriate folders on the DC, the only way I was able to get my Helpdesk
admin set up to create accounts with my scripts so that I didn't have to do
it was to make him a domain admin. My company is too damn cheap to get me
another server to put the citrix profiles somewhere else. Oh yeah, and its an
app server for network install of office (can you feel my pain).
So, if there is only one server in the site and its a DC, the only way to get
him to do anything is to make him a domain admin (make it a child domain so
he can't climb up the tree)
Gideon Ashcraft
Network Admin
Screen Actors Guild
ct: RE: [ActiveDir] Domain Controller Security
Look through the archives.
The short answer is... "Just don't do it". You can't possibly secure this
regardless of what anyone says. If someone says it can be made safe, stop
asking them technical questions about Domain Controllers and Active
Directory.
Either you trust the person or you don't. If you don't trust the person, then
don't put the person in a position to show you the meaning of screwed.
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of van Donk, Fred
Sent: Tuesday, September 20, 2005 4:52 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Domain Controller Security
I have a contractor in a remote site. There is only 1 server in that site
which is a DC.
He needs to administer that server.
-Create shares
-Make file/share permissions
-Change user passwords in the User OU for that site.
He is not allowed to log on to any other server is the domain.
When I make him a "Server Operator" he can logon to any server in the domain.
Any idea on how to lock him down to that one server and then how to lock him
down on that one OU where he should only be allowed to change the passwords
of the users.
Thanks!
Fred
List info : http://www.activedir.org/List.aspx List FAQ :
http://www.activedir.org/ListFAQ.aspx List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD000001282
Posts:0
| | 09/22/2005 6:25 AM |
| I thought that in ad domains are
considered security boundaries. In the cert exams, namely the 70-219, they are
considered as such. Also, how would a domain admin of a child domain elevate
his privileges?
Dan
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Phil Renouf
Sent: Thursday, September 22, 2005
1:28 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Domain
Controller Security
Even as a domain admin of a Child domain they will
still be able to munge your forest or elevate their priviledges. The security
boundary in AD is at the forest, not the domain.
Phil
On 9/22/05, Gideon Ashcraft gideona@xxxxxxxxxxxxx> wrote:
The only thing to do is to make him an admin of that
site, or better yet make that site a child domain and make him a domain admin
of that child domain. I know from experience that using a DC as anything but a
DC is a freakin pain in the ass, my predecessor set a DC up as a print/file
server and another as a SQL server (finally able to demote that one now, soon
hopefully). But my citrix profiles are on the domain controller, and after
months of trying to set delegation up properly in AD and setting up permissions
in the appropriate folders on the DC, the only way I was able to get my
Helpdesk admin set up to create accounts with my scripts so that I didn't have
to do it was to make him a domain admin. My company is too damn cheap to get me
another server to put the citrix profiles somewhere else. Oh yeah, and its an
app server for network install of office (can you feel my pain).
So, if there is only one server in the site and
its a DC, the only way to get him to do anything is to make him a domain admin
(make it a child domain so he can't climb up the tree)
Gideon Ashcraft
Network Admin
Screen Actors Guild
ct: RE: [ActiveDir] Domain Controller Security
Look through the archives.
The short answer is...
"Just don't do it". You can't possibly secure this regardless of what
anyone says. If someone says it can be made safe, stop asking them technical
questions about Domain Controllers and Active Directory.
Either you trust the
person or you don't. If you don't trust the person, then don't put the person
in a position to show you the meaning of screwed.
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of van Donk, Fred
Sent: Tuesday, September 20, 2005
4:52 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Domain
Controller Security
I have a contractor in a remote
site. There is only 1 server in that site which is a DC.
He needs to administer that server.
-Create shares
-Make file/share permissions
-Change user passwords in the User
OU for that site.
He is not allowed to log on to any
other server is the domain.
When I make him a "Server
Operator" he can logon to any server in the domain.
Any idea on how to lock him down to
that one server and then how to lock him down on that one OU where he should
only be allowed to change the passwords of the users.
Thanks!
Fred
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
NOTICE: The information contained in this transmission is privileged, confidential, and intended only for the use of the individual or entity named above. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or the taking of any action in reliance on the contents of this transmission is strictly prohibited. If you have received this transmission in error, please notify Eze Castle Integration, Inc. by e-mail and destroy the original message and all copies. Thank you. | | | |
| AD00000317
Posts:0
| | 09/22/2005 7:00 AM |
| Wrongo...
...snip
Active Directory uses
domains and forests to represent the logical structure of the directory
hierarchy. Domains are used to manage the various populations of users,
computers, and network resources in your enterprise. The forest represents the
security boundary for Active Directory. Within domains you can create
organizational units to subdivide the various divisions of
administration
snip...
link to actual
doc
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/6f8a7c80-45fc-4916-80d9-16e6d46241f9.mspx
(mind if it wraps)
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of DeStefano,
DanSent: Thursday, September 22, 2005 12:09 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Domain
Controller Security
I thought that in ad
domains are considered security boundaries. In the cert exams, namely the
70-219, they are considered as such. Also, how would a domain admin of a child
domain elevate his privileges?
Dan
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Phil
RenoufSent: Thursday,
September 22, 2005 1:28 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] Domain Controller
Security
Even as a domain admin of a Child domain
they will still be able to munge your forest or elevate their priviledges. The
security boundary in AD is at the forest, not the
domain.
Phil
On 9/22/05, Gideon Ashcraft gideona@xxxxxxxxxxxxx>
wrote:
The only thing to do is to make him an
admin of that site, or better yet make that site a child domain and make him a
domain admin of that child domain. I know from experience that using a DC as
anything but a DC is a freakin pain in the ass, my predecessor set a DC up as a
print/file server and another as a SQL server (finally able to demote that one
now, soon hopefully). But my citrix profiles are on the domain controller, and
after months of trying to set delegation up properly in AD and setting up
permissions in the appropriate folders on the DC, the only way I was able to get
my Helpdesk admin set up to create accounts with my scripts so that I didn't
have to do it was to make him a domain admin. My company is too damn cheap to
get me another server to put the citrix profiles somewhere else. Oh yeah, and
its an app server for network install of office (can you feel my pain).
So, if there is only one server in the
site and its a DC, the only way to get him to do anything is to make him a
domain admin (make it a child domain so he can't climb up the
tree)
Gideon
Ashcraft
Network
Admin
Screen Actors
Guildct: RE: [ActiveDir] Domain
Controller Security
Look
through the archives.
The short
answer is... "Just don't do it". You can't possibly secure this regardless of
what anyone says. If someone says it can be made safe, stop asking them
technical questions about Domain Controllers and Active Directory.
Either you
trust the person or you don't. If you don't trust the person, then don't put the
person in a position to show you the meaning of screwed.
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of van Donk, FredSent: Tuesday, September 20, 2005 4:52
PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] Domain Controller
Security
I have a contractor in a remote
site. There is only 1 server in that site which is a
DC.
He needs to administer that server.
-Create
shares
-Make file/share
permissions
-Change user passwords in the User
OU for that site.
He is not allowed to log on to any
other server is the domain.
When I make him a "Server Operator"
he can logon to any server in the domain.
Any idea on how to lock him down to
that one server and then how to lock him down on that one OU where he should
only be allowed to change the passwords of the
users.
Thanks!
Fred
List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
NOTICE: The information
contained in this transmission is privileged, confidential, and intended
only for the use of the individual or entity named above. If you are not
the intended recipient, you are hereby notified that any disclosure,
copying, distribution, or the taking of any action in reliance on the
contents of this transmission is strictly prohibited. If you have received
this transmission in error, please notify Eze Castle Integration, Inc. by
e-mail and destroy the original message and all copies. Thank
you. | | | |
| AD00000317
Posts:0
| | 09/22/2005 7:00 AM |
| Oh, and as for how, easy, but I won't tell
here...
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of DeStefano,
DanSent: Thursday, September 22, 2005 12:09 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Domain
Controller Security
I thought that in ad
domains are considered security boundaries. In the cert exams, namely the
70-219, they are considered as such. Also, how would a domain admin of a child
domain elevate his privileges?
Dan
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Phil
RenoufSent: Thursday,
September 22, 2005 1:28 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] Domain Controller
Security
Even as a domain admin of a Child domain
they will still be able to munge your forest or elevate their priviledges. The
security boundary in AD is at the forest, not the
domain.
Phil
On 9/22/05, Gideon Ashcraft gideona@xxxxxxxxxxxxx>
wrote:
The only thing to do is to make him an
admin of that site, or better yet make that site a child domain and make him a
domain admin of that child domain. I know from experience that using a DC as
anything but a DC is a freakin pain in the ass, my predecessor set a DC up as a
print/file server and another as a SQL server (finally able to demote that one
now, soon hopefully). But my citrix profiles are on the domain controller, and
after months of trying to set delegation up properly in AD and setting up
permissions in the appropriate folders on the DC, the only way I was able to get
my Helpdesk admin set up to create accounts with my scripts so that I didn't
have to do it was to make him a domain admin. My company is too damn cheap to
get me another server to put the citrix profiles somewhere else. Oh yeah, and
its an app server for network install of office (can you feel my pain).
So, if there is only one server in the
site and its a DC, the only way to get him to do anything is to make him a
domain admin (make it a child domain so he can't climb up the
tree)
Gideon
Ashcraft
Network
Admin
Screen Actors
Guildct: RE: [ActiveDir] Domain
Controller Security
Look
through the archives.
The short
answer is... "Just don't do it". You can't possibly secure this regardless of
what anyone says. If someone says it can be made safe, stop asking them
technical questions about Domain Controllers and Active Directory.
Either you
trust the person or you don't. If you don't trust the person, then don't put the
person in a position to show you the meaning of screwed.
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of van Donk, FredSent: Tuesday, September 20, 2005 4:52
PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] Domain Controller
Security
I have a contractor in a remote
site. There is only 1 server in that site which is a
DC.
He needs to administer that server.
-Create
shares
-Make file/share
permissions
-Change user passwords in the User
OU for that site.
He is not allowed to log on to any
other server is the domain.
When I make him a "Server Operator"
he can logon to any server in the domain.
Any idea on how to lock him down to
that one server and then how to lock him down on that one OU where he should
only be allowed to change the passwords of the
users.
Thanks!
Fred
List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
NOTICE: The information
contained in this transmission is privileged, confidential, and intended
only for the use of the individual or entity named above. If you are not
the intended recipient, you are hereby notified that any disclosure,
copying, distribution, or the taking of any action in reliance on the
contents of this transmission is strictly prohibited. If you have received
this transmission in error, please notify Eze Castle Integration, Inc. by
e-mail and destroy the original message and all copies. Thank
you. | | | |
| listmail
Posts:428
| | 09/22/2005 7:04 AM |
| The docs are wrong. Many of us have been hounding MS on
this for years. They really started straightening out docs with K3. Some of the
older 2K docs still suggest this security boundary at the domain. It really came
to a head when Lucent put out a paper on this and it started getting quoted in
the newsgroups and some of us just flamed the crap out of it.
No one here or anywhere should really publish how to
exploit rights on a DC to take over a forest. The answer is pretty self-evident
if someone understands the underpinnings and processes used in AD and since we
can't fully protect against it, it is better left undocumented. If
there was a guaranteed safe way to protect ourselves, then we could publish
that workaround and some time later publish the issue.
joe
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of DeStefano,
DanSent: Thursday, September 22, 2005 2:09 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Domain
Controller Security
I thought that in ad
domains are considered security boundaries. In the cert exams, namely the
70-219, they are considered as such. Also, how would a domain admin of a child
domain elevate his privileges?
Dan
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Phil
RenoufSent: Thursday,
September 22, 2005 1:28 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] Domain Controller
Security
Even as a domain admin of a Child domain
they will still be able to munge your forest or elevate their priviledges. The
security boundary in AD is at the forest, not the
domain.
Phil
On 9/22/05, Gideon Ashcraft gideona@xxxxxxxxxxxxx>
wrote:
The only thing to do is to make him an
admin of that site, or better yet make that site a child domain and make him a
domain admin of that child domain. I know from experience that using a DC as
anything but a DC is a freakin pain in the ass, my predecessor set a DC up as a
print/file server and another as a SQL server (finally able to demote that one
now, soon hopefully). But my citrix profiles are on the domain controller, and
after months of trying to set delegation up properly in AD and setting up
permissions in the appropriate folders on the DC, the only way I was able to get
my Helpdesk admin set up to create accounts with my scripts so that I didn't
have to do it was to make him a domain admin. My company is too damn cheap to
get me another server to put the citrix profiles somewhere else. Oh yeah, and
its an app server for network install of office (can you feel my pain).
So, if there is only one server in the
site and its a DC, the only way to get him to do anything is to make him a
domain admin (make it a child domain so he can't climb up the
tree)
Gideon
Ashcraft
Network
Admin
Screen Actors
Guildct: RE: [ActiveDir] Domain
Controller Security
Look
through the archives.
The short
answer is... "Just don't do it". You can't possibly secure this regardless of
what anyone says. If someone says it can be made safe, stop asking them
technical questions about Domain Controllers and Active Directory.
Either you
trust the person or you don't. If you don't trust the person, then don't put the
person in a position to show you the meaning of screwed.
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of van Donk, FredSent: Tuesday, September 20, 2005 4:52
PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] Domain Controller
Security
I have a contractor in a remote
site. There is only 1 server in that site which is a
DC.
He needs to administer that server.
-Create
shares
-Make file/share
permissions
-Change user passwords in the User
OU for that site.
He is not allowed to log on to any
other server is the domain.
When I make him a "Server Operator"
he can logon to any server in the domain.
Any idea on how to lock him down to
that one server and then how to lock him down on that one OU where he should
only be allowed to change the passwords of the
users.
Thanks!
Fred
List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
NOTICE: The information
contained in this transmission is privileged, confidential, and intended
only for the use of the individual or entity named above. If you are not
the intended recipient, you are hereby notified that any disclosure,
copying, distribution, or the taking of any action in reliance on the
contents of this transmission is strictly prohibited. If you have received
this transmission in error, please notify Eze Castle Integration, Inc. by
e-mail and destroy the original message and all copies. Thank
you. | | | |
| AD000001229
Posts:0
| | 09/22/2005 7:23 AM |
| You might consider a lower level OU
under the Domain Controllers OU with a different GPO that grants him local
logon to just that DC.
Thank You ! And have a nice day !
**************************************************************
Mark Lunsford
KAISER PERMANENTE
Security Operations
Remedy Group: NOPS SECURITY EDOS SYS
Direct Manager: Bud Furrow
Email: Mark.H.Lunsford@xxxxxx
Outside Phone: 925-926-5898
Tie Line Phone: 8-473-5898
C ell: 925-200-4077
**************************************************************
"Gil Kirkpatrick"
Sent by: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
09/21/2005 05:03 PM
Please respond to
ActiveDir@xxxxxxxxxxxxxxxxxx
To
cc
Subject
RE: [ActiveDir] Domain Controller
Security
Yes, untrusted admin + DC logon access = no more security.
If you're trying to lock him down, then you can't give him access to the
DC. Can you give him a member server for the file shares and just
delegate the password administraion on the OU?
-g
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of ASB
Sent: Wednesday, September 21, 2005 4:53 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Domain Controller Security
That sounds dangerous.
If you give him access to that server, particularly local logon
access, you might as well just put him in the Enterprise Admin group
and save both of you a few moments of work.
-ASB
FAST, CHEAP, SECURE: Pick Any TWO
http://www.ultratech-llc.com/KB/
On 9/20/05, van Donk, Fred wrote:
> I have a contractor in a remote site. There is only 1 server in that
site
> which is a DC.
>
> He needs to administer that server.
> -Create shares
> -Make file/share permissions
> -Change user passwords in the User OU for that site.
>
> He is not allowed to log on to any other server is the domain.
>
> When I make him a "Server Operator" he can logon to any
server in the
> domain.
>
> Any idea on how to lock him down to that one server and then how to
lock him
> down on that one OU where he should only be allowed to change the
passwords
> of the users.
>
> Thanks!
> Fred
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| prenouf
Posts:1
| | 09/22/2005 7:24 AM |
| I don't think anyone is going to get into how privilege escalation can be done, I know I certainly won't get into it other than to make people aware that it is possible.
Phil
On 9/22/05, DeStefano, Dan wrote:
I thought that in ad domains are considered security boundaries. In the cert exams, namely the 70-219, they are considered as such. Also, how would a domain admin of a child domain elevate his privileges?
Dan
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Phil RenoufSent: Thursday, September 22, 2005 1:28 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Domain Controller Security
Even as a domain admin of a Child domain they will still be able to munge your forest or elevate their priviledges. The security boundary in AD is at the forest, not the domain.
Phil
On 9/22/05, Gideon Ashcraft wrote:
The only thing to do is to make him an admin of that site, or better yet make that site a child domain and make him a domain admin of that child domain. I know from experience that using a DC as anything but a DC is a freakin pain in the ass, my predecessor set a DC up as a print/file server and another as a SQL server (finally able to demote that one now, soon hopefully). But my citrix profiles are on the domain controller, and after months of trying to set delegation up properly in AD and setting up permissions in the appropriate folders on the DC, the only way I was able to get my Helpdesk admin set up to create accounts with my scripts so that I didn't have to do it was to make him a domain admin. My company is too damn cheap to get me another server to put the citrix profiles somewhere else. Oh yeah, and its an app server for network install of office (can you feel my pain).
So, if there is only one server in the site and its a DC, the only way to get him to do anything is to make him a domain admin (make it a child domain so he can't climb up the tree)
Gideon Ashcraft
Network Admin
Screen Actors Guildct: RE: [ActiveDir] Domain Controller Security
Look through the archives.
The short answer is... "Just don't do it". You can't possibly secure this regardless of what anyone says. If someone says it can be made safe, stop asking them technical questions about Domain Controllers and Active Directory.
Either you trust the person or you don't. If you don't trust the person, then don't put the person in a position to show you the meaning of screwed.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of van Donk, FredSent: Tuesday, September 20, 2005 4:52 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxxSubject:
[ActiveDir] Domain Controller Security
I have a contractor in a remote site. There is only 1 server in that site which is a DC.
He needs to administer that server.
-Create shares
-Make file/share permissions
-Change user passwords in the User OU for that site.
He is not allowed to log on to any other server is the domain.
When I make him a "Server Operator" he can logon to any server in the domain.
Any idea on how to lock him down to that one server and then how to lock him down on that one OU where he should only be allowed to change the passwords of the users.
Thanks!
Fred
List info :
http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
NOTICE: The information contained in this transmission is privileged, confidential, and intended only for the use of the individual or entity named above. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or the taking of any action in reliance on the contents of this transmission is strictly prohibited. If you have received this transmission in error, please notify Eze Castle Integration, Inc. by e-mail and destroy the original message and all copies. Thank you. | | | |
| AD00000124
Posts:0
| | 09/22/2005 8:08 AM |
| Most of the answers to Fred™s
business need deal with the security issue of the domain: valid, certainly, but
if the contractor really has a need to access files & shares, how would he
do it? Seems this DC is the sole site server and acting as a file server in
addition to it™s DC duties.
Short of buying another server, an idea I
read about on this list was to install vm software and run the file services as
a virtual server. Anybody tried that?
And in the 3k R2 world, if that DC were a caching-only
DC, does that change the situation?
AL
Al Maurer
Service
Manager, Naming and Authentication Services
IT
| Information Technology
Agilent
Technologies
(719)
590-2639; Telnet 590-2639
http://activedirectory.it.agilent.com
----------------------------------------------
"Cry
'Havoc!' and let slip the dogs of war" - Anthony, in Julius Caesar
III i.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Phil Renouf
Sent: Thursday, September 22, 2005
12:43 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Domain
Controller Security
When Windows 2000 first came out the domain was thought of as the
security boundary and Microsoft even stated that in documentation, books and
certifications. Through the course of using AD there were a few things that
came to light as some talented and curious folks started noticing things and
that has led to the security boundary stance being revised. The original
statement was a mistake and I believe Microsoft has recognized and admitted
that. Any up to date documentation will reflect that notion of the forest
being the security boundary.
I don't think anyone is going to get into how privilege escalation can
be done, I know I certainly won't get into it other than to make people aware
that it is possible.
Phil
On 9/22/05, DeStefano,
Dan
wrote:
I thought that in ad domains are considered security
boundaries. In the cert exams, namely the 70-219, they are considered as such.
Also, how would a domain admin of a child domain elevate his privileges?
Dan
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On
Behalf Of Phil Renouf
Sent: Thursday, September 22, 2005
1:28 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re:
[ActiveDir] Domain Controller Security
Even as a domain admin of a Child domain they will
still be able to munge your forest or elevate their priviledges. The security
boundary in AD is at the forest, not the domain.
Phil
On 9/22/05, Gideon
Ashcraft wrote:
The only thing to do is to make him an admin of that
site, or better yet make that site a child domain and make him a domain admin
of that child domain. I know from experience that using a DC as anything but a
DC is a freakin pain in the ass, my predecessor set a DC up as a print/file
server and another as a SQL server (finally able to demote that one now, soon
hopefully). But my citrix profiles are on the domain controller, and after
months of trying to set delegation up properly in AD and setting up permissions
in the appropriate folders on the DC, the only way I was able to get my
Helpdesk admin set up to create accounts with my scripts so that I didn't have
to do it was to make him a domain admin. My company is too damn cheap to get me
another server to put the citrix profiles somewhere else. Oh yeah, and its an
app server for network install of office (can you feel my pain).
So, if there is only one server in the site and
its a DC, the only way to get him to do anything is to make him a domain admin
(make it a child domain so he can't climb up the tree)
Gideon Ashcraft
Network Admin
Screen Actors Guild
ct: RE: [ActiveDir] Domain Controller Security
Look through the
archives.
The short answer is...
"Just don't do it". You can't possibly secure this regardless of what
anyone says. If someone says it can be made safe, stop asking them technical
questions about Domain Controllers and Active Directory.
Either you trust the
person or you don't. If you don't trust the person, then don't put the person
in a position to show you the meaning of screwed.
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On
Behalf Of van Donk, Fred
Sent: Tuesday, September 20, 2005
4:52 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Domain
Controller Security
I have a contractor in a remote site. There is only 1
server in that site which is a DC.
He needs to administer that server.
-Create shares
-Make file/share permissions
-Change user passwords in the User OU for that site.
He is not allowed to log on to any other server is
the domain.
When I make him a "Server Operator" he can
logon to any server in the domain.
Any idea on how to lock him down to that one server
and then how to lock him down on that one OU where he should only be allowed to
change the passwords of the users.
Thanks!
Fred
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
NOTICE: The information contained in this transmission is privileged,
confidential, and intended only for the use of the individual or entity named
above. If you are not the intended recipient, you are hereby notified that
any disclosure, copying, distribution, or the taking of any action in
reliance on the contents of this transmission is strictly prohibited. If you
have received this transmission in error, please notify Eze Castle
Integration, Inc. by e-mail and destroy the original message and all copies.
Thank you. | | | |
| Gil
Posts:69
| | 09/22/2005 8:32 AM |
| See, for instance, the demo Guido did in the security
workshop with Sanjay at DEC last year.
-g
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Hutchins,
MikeSent: Thursday, September 22, 2005 11:37 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Domain
Controller Security
Oh, and as for how, easy, but I won't tell
here...
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of DeStefano,
DanSent: Thursday, September 22, 2005 12:09 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Domain
Controller Security
I thought that in ad
domains are considered security boundaries. In the cert exams, namely the
70-219, they are considered as such. Also, how would a domain admin of a child
domain elevate his privileges?
Dan
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Phil
RenoufSent: Thursday,
September 22, 2005 1:28 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] Domain Controller
Security
Even as a domain admin of a Child domain
they will still be able to munge your forest or elevate their priviledges. The
security boundary in AD is at the forest, not the
domain.
Phil
On 9/22/05, Gideon Ashcraft gideona@xxxxxxxxxxxxx>
wrote:
The only thing to do is to make him an
admin of that site, or better yet make that site a child domain and make him a
domain admin of that child domain. I know from experience that using a DC as
anything but a DC is a freakin pain in the ass, my predecessor set a DC up as a
print/file server and another as a SQL server (finally able to demote that one
now, soon hopefully). But my citrix profiles are on the domain controller, and
after months of trying to set delegation up properly in AD and setting up
permissions in the appropriate folders on the DC, the only way I was able to get
my Helpdesk admin set up to create accounts with my scripts so that I didn't
have to do it was to make him a domain admin. My company is too damn cheap to
get me another server to put the citrix profiles somewhere else. Oh yeah, and
its an app server for network install of office (can you feel my pain).
So, if there is only one server in the
site and its a DC, the only way to get him to do anything is to make him a
domain admin (make it a child domain so he can't climb up the
tree)
Gideon
Ashcraft
Network
Admin
Screen Actors
Guildct: RE: [ActiveDir] Domain
Controller Security
Look
through the archives.
The short
answer is... "Just don't do it". You can't possibly secure this regardless of
what anyone says. If someone says it can be made safe, stop asking them
technical questions about Domain Controllers and Active Directory.
Either you
trust the person or you don't. If you don't trust the person, then don't put the
person in a position to show you the meaning of screwed.
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of van Donk, FredSent: Tuesday, September 20, 2005 4:52
PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] Domain Controller
Security
I have a contractor in a remote
site. There is only 1 server in that site which is a
DC.
He needs to administer that server.
-Create
shares
-Make file/share
permissions
-Change user passwords in the User
OU for that site.
He is not allowed to log on to any
other server is the domain.
When I make him a "Server Operator"
he can logon to any server in the domain.
Any idea on how to lock him down to
that one server and then how to lock him down on that one OU where he should
only be allowed to change the passwords of the
users.
Thanks!
Fred
List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
NOTICE: The information
contained in this transmission is privileged, confidential, and intended
only for the use of the individual or entity named above. If you are not
the intended recipient, you are hereby notified that any disclosure,
copying, distribution, or the taking of any action in reliance on the
contents of this transmission is strictly prohibited. If you have received
this transmission in error, please notify Eze Castle Integration, Inc. by
e-mail and destroy the original message and all copies. Thank
you. | | | |
|
|