| Author | Messages | |
AD000001282
Posts:0
 | | 09/23/2005 9:32 AM |
| Thank you for the info
Dan
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Steve Linehan
Sent: Friday, September 23, 2005
12:58 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Domain
Controller Security
That is the acronym for a
Microsoft Technical Account Manager (TAM). Customers with custom support
such as Premier Support generally have a TAM that is assigned to them.
Thanks,
-Steve
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of DeStefano, Dan
Sent: Friday, September 23, 2005
11:26 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Domain
Controller Security
Excuse my ignorance, but
what is a TAM?
Dan
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of ASB
Sent: Friday, September 23, 2005
5:46 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Domain
Controller Security
>>And knowing it, I can always take extra
precautions.
The knowing it consists of "don't do it, because
you can't secure it"
There are no extra precautions to take.
Certainly, you can increase your auditing, but you could do that now without
knowing anything else.
>>basically, 25% more prepared and secure
against this type of attack is better than 0%.
The more people that know, the higher the potential of
attack. And, as folks have pointed out, since there are no viable
workarounds, it doesn't help anyone to have the number of potential attackers
increased.
Call your TAM and see if he or she will provide enough
details for you to feel comfortable.
-ASB
FAST, CHEAP, SECURE: Pick Any TWO
http://www.ultratech-llc.com/KB/
On 9/23/05, Kamlesh Parmar kamleshap@xxxxxxxxx> wrote:
I have to disagree a bit here...
Certainly, obscuring of information is
not the way to feel secure.
If I don't know, how it is done, then how do I know,
that I will be able to detect it, and trace it.
And knowing it, I can always take extra precautions. Which I think, better
than not knowing it at all.
basically, 25% more prepared and secure against this
type of attack is better than 0%. and certainly it helps calibrate how much
paranoid I have to be. :-)
I would like to know, how it is done, as our team
is currently migrating some good number of domains to single domain.
And we are going to give local guys rights to logon to DC for some system
maintenance purposes, till final single domain is cleaned up and we revert back
to core team for day-to-day maintenance.
So I am very much interested in knowing it.
On 9/23/05, joe listmail@xxxxxxxxxxx>
wrote:
The docs
are wrong. Many of us have been hounding MS on this for years. They really
started straightening out docs with K3. Some of the older 2K docs still suggest
this security boundary at the domain. It really came to a head when Lucent put
out a paper on this and it started getting quoted in the newsgroups and some of
us just flamed the crap out of it.
No one
here or anywhere should really publish how to exploit rights on a DC to take
over a forest. The answer is pretty self-evident if someone understands the
underpinnings and processes used in AD and since we can't fully
protect against it, it is better left undocumented. If there was a
guaranteed safe way to protect ourselves, then we could publish
that workaround and some time later publish the issue.
joe
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf
Of DeStefano, Dan
Sent: Thursday, September 22, 2005
2:09 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Domain
Controller Security
I thought that in ad domains
are considered security boundaries. In the cert exams, namely the 70-219, they
are considered as such. Also, how would a domain admin of a child domain
elevate his privileges?
Dan
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On
Behalf Of Phil Renouf
Sent: Thursday, September 22, 2005
1:28 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Domain
Controller Security
Even as a domain admin of a Child domain they will
still be able to munge your forest or elevate their priviledges. The security
boundary in AD is at the forest, not the domain.
Phil
On 9/22/05, Gideon
Ashcraft wrote:
The only thing to do is to make him an admin of that
site, or better yet make that site a child domain and make him a domain admin
of that child domain. I know from experience that using a DC as anything but a
DC is a freakin pain in the ass, my predecessor set a DC up as a print/file
server and another as a SQL server (finally able to demote that one now, soon
hopefully). But my citrix profiles are on the domain controller, and after
months of trying to set delegation up properly in AD and setting up permissions
in the appropriate folders on the DC, the only way I was able to get my
Helpdesk admin set up to create accounts with my scripts so that I didn't have
to do it was to make him a domain admin. My company is too damn cheap to get me
another server to put the citrix profiles somewhere else. Oh yeah, and its an
app server for network install of office (can you feel my pain).
So, if there is only one server in the site and
its a DC, the only way to get him to do anything is to make him a domain admin
(make it a child domain so he can't climb up the tree)
Gideon Ashcraft
Network Admin
Screen Actors Guild
ct: RE: [ActiveDir] Domain Controller Security
Look through the
archives.
The short answer is...
"Just don't do it". You can't possibly secure this regardless of what
anyone says. If someone says it can be made safe, stop asking them technical
questions about Domain Controllers and Active Directory.
Either you trust the
person or you don't. If you don't trust the person, then don't put the person
in a position to show you the meaning of screwed.
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On
Behalf Of van Donk, Fred
Sent: Tuesday, September 20, 2005
4:52 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Domain
Controller Security
I have a contractor in a remote site. There is only 1
server in that site which is a DC.
He needs to administer that server.
-Create shares
-Make file/share permissions
-Change user passwords in the User OU for that site.
He is not allowed to log on to any other server is
the domain.
When I make him a "Server Operator" he can
logon to any server in the domain.
Any idea on how to lock him down to that one server
and then how to lock him down on that one OU where he should only be allowed to
change the passwords of the users.
Thanks!
Fred
NOTICE: The information contained in this transmission is privileged,
confidential, and intended only for the use of the individual or entity named
above. If you are not the intended recipient, you are hereby notified that
any disclosure, copying, distribution, or the taking of any action in
reliance on the contents of this transmission is strictly prohibited. If you
have received this transmission in error, please notify Eze Castle
Integration, Inc. by e-mail and destroy the original message and all copies.
Thank you.
NOTICE: The information contained in this transmission is privileged, confidential, and intended only for the use of the individual or entity named above. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or the taking of any action in reliance on the contents of this transmission is strictly prohibited. If you have received this transmission in error, please notify Eze Castle Integration, Inc. by e-mail and destroy the original message and all copies. Thank you. | | | |
| AD00000928
Posts:0
| | 09/23/2005 9:50 AM |
| I have to disagree a bit here...
Certainly, obscuring of information is not the way to feel secure.
If I don't know, how it is done, then how do I know, that I will be able to detect it, and trace it.And knowing it, I can always take extra precautions. Which I think, better than not knowing it at all.
basically, 25% more prepared and secure against this type of attack is better than 0%. and certainly it helps calibrate how much paranoid I have to be. :-)
I would like to know, how it is done, as our team is currently migrating some good number of domains to single domain. And we are going to give local guys rights to logon to DC for some system maintenance purposes, till final single domain is cleaned up and we revert back to core team for day-to-day maintenance.
So I am very much interested in knowing it.
On 9/23/05, joe wrote:
The docs are wrong. Many of us have been hounding MS on this for years. They really started straightening out docs with K3. Some of the older 2K docs still suggest this security boundary at the domain. It really came to a head when Lucent put out a paper on this and it started getting quoted in the newsgroups and some of us just flamed the crap out of it.
No one here or anywhere should really publish how to exploit rights on a DC to take over a forest. The answer is pretty self-evident if someone understands the underpinnings and processes used in AD and since we can't fully protect against it, it is better left undocumented. If there was a guaranteed safe way to protect ourselves, then we could publish that workaround and some time later publish the issue.
joe
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of DeStefano, DanSent: Thursday, September 22, 2005 2:09 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Domain Controller Security
I thought that in ad domains are considered security boundaries. In the cert exams, namely the 70-219, they are considered as such. Also, how would a domain admin of a child domain elevate his privileges?
Dan
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Phil RenoufSent: Thursday, September 22, 2005 1:28 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxxSubject:
Re: [ActiveDir] Domain Controller Security
Even as a domain admin of a Child domain they will still be able to munge your forest or elevate their priviledges. The security boundary in AD is at the forest, not the domain.
Phil
On 9/22/05, Gideon Ashcraft wrote:
The only thing to do is to make him an admin of that site, or better yet make that site a child domain and make him a domain admin of that child domain. I know from experience that using a DC as anything but a DC is a freakin pain in the ass, my predecessor set a DC up as a print/file server and another as a SQL server (finally able to demote that one now, soon hopefully). But my citrix profiles are on the domain controller, and after months of trying to set delegation up properly in AD and setting up permissions in the appropriate folders on the DC, the only way I was able to get my Helpdesk admin set up to create accounts with my scripts so that I didn't have to do it was to make him a domain admin. My company is too damn cheap to get me another server to put the citrix profiles somewhere else. Oh yeah, and its an app server for network install of office (can you feel my pain).
So, if there is only one server in the site and its a DC, the only way to get him to do anything is to make him a domain admin (make it a child domain so he can't climb up the tree)
Gideon Ashcraft
Network Admin
Screen Actors Guildct: RE: [ActiveDir] Domain Controller Security
Look through the archives.
The short answer is... "Just don't do it". You can't possibly secure this regardless of what anyone says. If someone says it can be made safe, stop asking them technical questions about Domain Controllers and Active Directory.
Either you trust the person or you don't. If you don't trust the person, then don't put the person in a position to show you the meaning of screwed.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of van Donk, FredSent: Tuesday, September 20, 2005 4:52 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxxSubject:
[ActiveDir] Domain Controller Security
I have a contractor in a remote site. There is only 1 server in that site which is a DC.
He needs to administer that server.
-Create shares
-Make file/share permissions
-Change user passwords in the User OU for that site.
He is not allowed to log on to any other server is the domain.
When I make him a "Server Operator" he can logon to any server in the domain.
Any idea on how to lock him down to that one server and then how to lock him down on that one OU where he should only be allowed to change the passwords of the users.
Thanks!
Fred | | | |
| listmail
Posts:428
| | 09/23/2005 9:58 AM |
| Which on the whole you may find to be far more helpful than most TAM's you
might have gotten...
Not trying to be mean, but I haven't had the greatest luck with TAMs. There
have been two in ten years that I can think of off the top of my head that I
liked (hey Efrem, hey Michelle) and I still beat the crap out of them when I
had them available. Generally, IMO, a TAM is a person who tells you what you
can't have even if they don't know what you are asking for.
I once talked about looking into a TAM position and a high level MCS manager
who had been trying to get me to join MS for I don't know how long told me
(he was drunk at the time), hell no, you are far too technically gifted to
be a TAM...
Just a thought though mom, you guys in SBS land seem to stick together
pretty well. I wonder if you could form a union with all of the SBS crazies
(and I say that lovingly) and have dues and such and then get a joint
Premier Support Account for all of you together and funnel issues up through
it.
joe
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Friday, September 23, 2005 1:45 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Domain Controller Security
Us in SBSland have newsgroups and MVPs.
Brian Desmond wrote:
> *Technical Account Manager. When you spend ample money with MS, you
> get one of these. I think a PSS contract is enough to have one.
> They're sort of your MS/Customer bridge. *
>
> * *
>
> **Thanks,***
> **Brian Desmond***
>
> **brian@xxxxxxxxxxxxxxxx**
>
> **c - 312.731.3132**
>
> ----------------------------------------------------------------------
> --
>
> *From:* ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] *On Behalf Of *DeStefano,
> Dan
> *Sent:* Friday, September 23, 2005 12:26 PM
> *To:* ActiveDir@xxxxxxxxxxxxxxxxxx
> *Subject:* RE: [ActiveDir] Domain Controller Security
>
> Excuse my ignorance, but what is a TAM?
>
> Dan
>
> ----------------------------------------------------------------------
> --
>
> *From:* ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] *On Behalf Of *ASB
> *Sent:* Friday, September 23, 2005 5:46 AM
> *To:* ActiveDir@xxxxxxxxxxxxxxxxxx
> *Subject:* Re: [ActiveDir] Domain Controller Security
>
>>>And knowing it, I can always take extra precautions.
>
> The knowing it consists of "don't do it, because you can't secure it"
>
> There are no extra precautions to take. Certainly, you can increase
> your auditing, but you could do that now without knowing anything else.
>
>>>basically, 25% more prepared and secure against this type of attack
> is better than 0%.
>
> The more people that know, the higher the potential of attack. And, as
> folks have pointed out, since there are no viable workarounds, it
> doesn't help anyone to have the number of potential attackers increased.
>
> Call your TAM and see if he or she will provide enough details for you
> to feel comfortable.
>
> -ASB
>
> FAST, CHEAP, SECURE: Pick Any TWO
>
> http://www.ultratech-llc.com/KB/
>
>
> On 9/23/05, *Kamlesh Parmar* > wrote:
>
> I have to disagree a bit here...
>
> Certainly, obscuring of information is not the way to feel secure.
>
> If I don't know, how it is done, then how do I know, that I will be
> able to detect it, and trace it.
> And knowing it, I can always take extra precautions. Which I think,
> better than not knowing it at all.
>
> basically, 25% more prepared and secure against this type of attack is
> better than 0%. and certainly it helps calibrate how much paranoid I
> have to be. :-)
>
> I would like to know, how it is done, as our team is currently
> migrating some good number of domains to single domain. And we are
> going to give local guys rights to logon to DC for some system
> maintenance purposes, till final single domain is cleaned up and we
> revert back to core team for day-to-day maintenance.
>
> So I am very much interested in knowing it.
>
> On 9/23/05, *joe* >
> wrote:
>
> The docs are wrong. Many of us have been hounding MS on this for
> years. They really started straightening out docs with K3. Some of the
> older 2K docs still suggest this security boundary at the domain. It
> really came to a head when Lucent put out a paper on this and it
> started getting quoted in the newsgroups and some of us just flamed
> the crap out of it.
>
> No one here or anywhere should really publish how to exploit rights on
> a DC to take over a forest. The answer is pretty self-evident if
> someone understands the underpinnings and processes used in AD and
> since we can't fully protect against it, it is better left
> undocumented. If there was a guaranteed safe way to protect ourselves,
> then we could publish that workaround and some time later publish the
> issue.
>
> joe
>
> ----------------------------------------------------------------------
> --
>
> *From:* ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:
> ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> ] *On Behalf Of *DeStefano,
> Dan
> *Sent:* Thursday, September 22, 2005 2:09 PM
> *To:* ActiveDir@xxxxxxxxxxxxxxxxxx
>
> *Subject:* RE: [ActiveDir] Domain Controller Security
>
> I thought that in ad domains are considered security boundaries. In
> the cert exams, namely the 70-219, they are considered as such. Also,
> how would a domain admin of a child domain elevate his privileges?
>
> Dan
>
> ----------------------------------------------------------------------
> --
>
> *From:* ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:
> ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> ] *On Behalf Of *Phil
> Renouf
> *Sent:* Thursday, September 22, 2005 1:28 PM
> *To:* ActiveDir@xxxxxxxxxxxxxxxxxx
>
> *Subject:* Re: [ActiveDir] Domain Controller Security
>
> Even as a domain admin of a Child domain they will still be able to
> munge your forest or elevate their priviledges. The security boundary
> in AD is at the forest, not the domain.
>
> Phil
>
> On 9/22/05, *Gideon Ashcraft* > wrote:
>
> The only thing to do is to make him an admin of that site, or better
> yet make that site a child domain and make him a domain admin of that
> child domain. I know from experience that using a DC as anything but a
> DC is a freakin pain in the ass, my predecessor set a DC up as a
> print/file server and another as a SQL server (finally able to demote
> that one now, soon hopefully). But my citrix profiles are on the
> domain controller, and after months of trying to set delegation up
> properly in AD and setting up permissions in the appropriate folders
> on the DC, the only way I was able to get my Helpdesk admin set up to
> create accounts with my scripts so that I didn't have to do it was to
> make him a domain admin. My company is too damn cheap to get me
> another server to put the citrix profiles somewhere else. Oh yeah, and
> its an app server for network install of office (can you feel my pain).
>
> So, if there is only one server in the site and its a DC, the only way
> to get him to do anything is to make him a domain admin (make it a
> child domain so he can't climb up the tree)
>
> Gideon Ashcraft
>
> Network Admin
>
> Screen Actors Guild
>
>
>
>
>
>
> ct: RE: [ActiveDir] Domain Controller Security
>
> Look through the archives.
>
> The short answer is... "Just don't do it". You can't possibly secure
> this regardless of what anyone says. If someone says it can be made
> safe, stop asking them technical questions about Domain Controllers
> and Active Directory.
>
> Either you trust the person or you don't. If you don't trust the
> person, then don't put the person in a position to show you the
> meaning of screwed.
>
> ----------------------------------------------------------------------
> --
>
> *From:* ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:
> ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> ] *On Behalf Of *van Donk,
> Fred
> *Sent: *Tuesday, September 20, 2005 4:52 PM
> *To:* ActiveDir@xxxxxxxxxxxxxxxxxx
>
> *Subject:* [ActiveDir] Domain Controller Security
>
> I have a contractor in a remote site. There is only 1 server in that
> site which is a DC.
>
> He needs to administer that server.
>
> -Create shares
>
> -Make file/share permissions
>
> -Change user passwords in the User OU for that site.
>
> He is not allowed to log on to any other server is the domain.
>
> When I make him a "Server Operator" he can logon to any server in the
> domain.
>
> Any idea on how to lock him down to that one server and then how to
> lock him down on that one OU where he should only be allowed to change
> the passwords of the users.
>
> Thanks!
>
> Fred
>
>
> NOTICE: The information contained in this transmission is privileged,
> confidential, and intended only for the use of the individual or
> entity named above. If you are not the intended recipient, you are
> hereby notified that any disclosure, copying, distribution, or the
> taking of any action in reliance on the contents of this transmission
> is strictly prohibited. If you have received this transmission in
> error, please notify Eze Castle Integration, Inc. by e-mail and
> destroy the original message and all copies. Thank you.
>
>
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| James_Day
Posts:13
| | 09/23/2005 10:14 AM |
| I have a wacky idea that just might work - because I like wacky ideas.
What if you made a new forest with say one DC and one account - the
contractor guy. (since the security boundary is the forest, put him in a
new forest)
Then what if you made a trust between the two with selective
authentication.
Then what if using selective authentication in AD you set that machine to
allow authentication from that user account.
Then what if you made that user account admin or less of that machine.
That should grant him full rights on the little baby stand alone DC that
you set up - which if he breaks it he cannot do anything at all. It will
also grant him admin rights to that server (you could give him less).
It would also keep him off every other machine because his account would
need explicit access rights via. the selective authentication set up on the
trust.
And, seeing he has no rights in the real domain he would not be able to
change that selective authentication check, nor would he be able to give
himself access on any other box.
Of course, he could just sit on the file server and sniff for passwords -
so if he really wanted the access he would eventually get it somewhere -
but he would have to work for it.
Just a thought;
James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
202-230-2983
james_day@xxxxxxxxxxxxxxxxxx
|---------+---------------------------------->
| | ASB |
| | Sent by: |
| | ActiveDir-owner@xxxxxxx|
| | tivedir.org |
| | |
| | |
| | 09/23/2005 03:10 PM AST|
| | Please respond to |
| | ActiveDir |
|---------+---------------------------------->
>------------------------------------------------------------------------------------------------------------------------------|
| |
| To: ActiveDir@xxxxxxxxxxxxxxxxxx |
| cc: (bcc: James Day/Contractor/NPS) |
| Subject: Re: [ActiveDir] Domain Controller Security |
>------------------------------------------------------------------------------------------------------------------------------|
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of ASB
Sent: Friday, September 23, 2005 5:46 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Domain Controller Security
>>And knowing it, I can always take extra precautions.
The knowing it consists of "don't do it, because you can't secure
it"
There are no extra precautions to take. Certainly, you can
increase your auditing, but you could do that now without knowing
anything else.
>>basically, 25% more prepared and secure against this type of
attack is better than 0%.
The more people that know, the higher the potential of attack.
And, as folks have pointed out, since there are no viable
workarounds, it doesn't help anyone to have the number of potential
attackers increased.
Call your TAM and see if he or she will provide enough details for
you to feel comfortable.
-ASB
FAST, CHEAP, SECURE: Pick Any TWO
http://www.ultratech-llc.com/KB/
On 9/23/05, Kamlesh Parmar wrote:
I have to disagree a bit here...
Certainly, obscuring of information is not the way to feel secure.
If I don't know, how it is done, then how do I know, that I will be
able to detect it, and trace it.
And knowing it, I can always take extra precautions. Which I think,
better than not knowing it at all.
basically, 25% more prepared and secure against this type of attack
is better than 0%. and certainly it helps calibrate how much
paranoid I have to be. :-)
I would like to know, how it is done, as our team is currently
migrating some good number of domains to single domain. And we are
going to give local guys rights to logon to DC for some system
maintenance purposes, till final single domain is cleaned up and we
revert back to core team for day-to-day maintenance.
So I am very much interested in knowing it.
On 9/23/05, joe wrote:
The docs are wrong. Many of us have been hounding MS on this for
years. They really started straightening out docs with K3. Some of
the older 2K docs still suggest this security boundary at the
domain. It really came to a head when Lucent put out a paper on
this and it started getting quoted in the newsgroups and some of us
just flamed the crap out of it.
No one here or anywhere should really publish how to exploit rights
on a DC to take over a forest. The answer is pretty self-evident if
someone understands the underpinnings and processes used in AD and
since we can't fully protect against it, it is better left
undocumented. If there was a guaranteed safe way to protect
ourselves, then we could publish that workaround and some time
later publish the issue.
joe
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of DeStefano, Dan
Sent: Thursday, September 22, 2005 2:09 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Domain Controller Security
I thought that in ad domains are considered security boundaries. In
the cert exams, namely the 70-219, they are considered as such.
Also, how would a domain admin of a child domain elevate his
privileges?
Dan
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Phil Renouf
Sent: Thursday, September 22, 2005 1:28 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Domain Controller Security
Even as a domain admin of a Child domain they will still be
able to munge your forest or elevate their priviledges. The
security boundary in AD is at the forest, not the domain.
Phil
On 9/22/05, Gideon Ashcraft wrote:
The only thing to do is to make him an admin of that site, or
better yet make that site a child domain and make him a
domain admin of that child domain. I know from experience
that using a DC as anything but a DC is a freakin pain in the
ass, my predecessor set a DC up as a print/file server and
another as a SQL server (finally able to demote that one now,
soon hopefully). But my citrix profiles are on the domain
controller, and after months of trying to set delegation up
properly in AD and setting up permissions in the appropriate
folders on the DC, the only way I was able to get my Helpdesk
admin set up to create accounts with my scripts so that I
didn't have to do it was to make him a domain admin. My
company is too damn cheap to get me another server to put the
citrix profiles somewhere else. Oh yeah, and its an app
server for network install of office (can you feel my pain).
So, if there is only one server in the site and its a DC, the
only way to get him to do anything is to make him a domain
admin (make it a child domain so he can't climb up the tree)
Gideon Ashcraft
Network Admin
Screen Actors Guild
ct: RE: [ActiveDir] Domain Controller Security
Look through the archives.
The short answer is... "Just don't do it". You can't possibly
secure this regardless of what anyone says. If someone says
it can be made safe, stop asking them technical questions
about Domain Controllers and Active Directory.
Either you trust the person or you don't. If you don't trust
the person, then don't put the person in a position to show
you the meaning of screwed.
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of van Donk,
Fred
Sent: Tuesday, September 20, 2005 4:52 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Domain Controller Security
I have a contractor in a remote site. There is only 1 server
in that site which is a DC.
He needs to administer that server.
-Create shares
-Make file/share permissions
-Change user passwords in the User OU for that site.
He is not allowed to log on to any other server is the
domain.
When I make him a "Server Operator" he can logon to any
server in the domain.
Any idea on how to lock him down to that one server and then
how to lock him down on that one OU where he should only be
allowed to change the passwords of the users.
Thanks!
Fred
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AndrewCace@xxxx.yyy
| | 09/23/2005 10:21 AM |
| -Andrew
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of joe
Sent: Friday, September 23, 2005 4:37 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Domain Controller Security
Which on the whole you may find to be far more helpful than most TAM's you
might have gotten...
Not trying to be mean, but I haven't had the greatest luck with TAMs. There
have been two in ten years that I can think of off the top of my head that I
liked (hey Efrem, hey Michelle) and I still beat the crap out of them when I
had them available. Generally, IMO, a TAM is a person who tells you what you
can't have even if they don't know what you are asking for.
I once talked about looking into a TAM position and a high level MCS manager
who had been trying to get me to join MS for I don't know how long told me
(he was drunk at the time), hell no, you are far too technically gifted to
be a TAM...
Just a thought though mom, you guys in SBS land seem to stick together
pretty well. I wonder if you could form a union with all of the SBS crazies
(and I say that lovingly) and have dues and such and then get a joint
Premier Support Account for all of you together and funnel issues up through
it.
joe
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Friday, September 23, 2005 1:45 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Domain Controller Security
Us in SBSland have newsgroups and MVPs.
Brian Desmond wrote:
> *Technical Account Manager. When you spend ample money with MS, you
> get one of these. I think a PSS contract is enough to have one.
> They're sort of your MS/Customer bridge. *
>
> * *
>
> **Thanks,***
> **Brian Desmond***
>
> **brian@xxxxxxxxxxxxxxxx**
>
> **c - 312.731.3132**
>
> ----------------------------------------------------------------------
> --
>
> *From:* ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] *On Behalf Of *DeStefano,
> Dan
> *Sent:* Friday, September 23, 2005 12:26 PM
> *To:* ActiveDir@xxxxxxxxxxxxxxxxxx
> *Subject:* RE: [ActiveDir] Domain Controller Security
>
> Excuse my ignorance, but what is a TAM?
>
> Dan
>
> ----------------------------------------------------------------------
> --
>
> *From:* ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] *On Behalf Of *ASB
> *Sent:* Friday, September 23, 2005 5:46 AM
> *To:* ActiveDir@xxxxxxxxxxxxxxxxxx
> *Subject:* Re: [ActiveDir] Domain Controller Security
>
>>>And knowing it, I can always take extra precautions.
>
> The knowing it consists of "don't do it, because you can't secure it"
>
> There are no extra precautions to take. Certainly, you can increase
> your auditing, but you could do that now without knowing anything else.
>
>>>basically, 25% more prepared and secure against this type of attack
> is better than 0%.
>
> The more people that know, the higher the potential of attack. And, as
> folks have pointed out, since there are no viable workarounds, it
> doesn't help anyone to have the number of potential attackers increased.
>
> Call your TAM and see if he or she will provide enough details for you
> to feel comfortable.
>
> -ASB
>
> FAST, CHEAP, SECURE: Pick Any TWO
>
> http://www.ultratech-llc.com/KB/
>
>
> On 9/23/05, *Kamlesh Parmar* > wrote:
>
> I have to disagree a bit here...
>
> Certainly, obscuring of information is not the way to feel secure.
>
> If I don't know, how it is done, then how do I know, that I will be
> able to detect it, and trace it.
> And knowing it, I can always take extra precautions. Which I think,
> better than not knowing it at all.
>
> basically, 25% more prepared and secure against this type of attack is
> better than 0%. and certainly it helps calibrate how much paranoid I
> have to be. :-)
>
> I would like to know, how it is done, as our team is currently
> migrating some good number of domains to single domain. And we are
> going to give local guys rights to logon to DC for some system
> maintenance purposes, till final single domain is cleaned up and we
> revert back to core team for day-to-day maintenance.
>
> So I am very much interested in knowing it.
>
> On 9/23/05, *joe* >
> wrote:
>
> The docs are wrong. Many of us have been hounding MS on this for
> years. They really started straightening out docs with K3. Some of the
> older 2K docs still suggest this security boundary at the domain. It
> really came to a head when Lucent put out a paper on this and it
> started getting quoted in the newsgroups and some of us just flamed
> the crap out of it.
>
> No one here or anywhere should really publish how to exploit rights on
> a DC to take over a forest. The answer is pretty self-evident if
> someone understands the underpinnings and processes used in AD and
> since we can't fully protect against it, it is better left
> undocumented. If there was a guaranteed safe way to protect ourselves,
> then we could publish that workaround and some time later publish the
> issue.
>
> joe
>
> ----------------------------------------------------------------------
> --
>
> *From:* ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:
> ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> ] *On Behalf Of *DeStefano,
> Dan
> *Sent:* Thursday, September 22, 2005 2:09 PM
> *To:* ActiveDir@xxxxxxxxxxxxxxxxxx
>
> *Subject:* RE: [ActiveDir] Domain Controller Security
>
> I thought that in ad domains are considered security boundaries. In
> the cert exams, namely the 70-219, they are considered as such. Also,
> how would a domain admin of a child domain elevate his privileges?
>
> Dan
>
> ----------------------------------------------------------------------
> --
>
> *From:* ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:
> ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> ] *On Behalf Of *Phil
> Renouf
> *Sent:* Thursday, September 22, 2005 1:28 PM
> *To:* ActiveDir@xxxxxxxxxxxxxxxxxx
>
> *Subject:* Re: [ActiveDir] Domain Controller Security
>
> Even as a domain admin of a Child domain they will still be able to
> munge your forest or elevate their priviledges. The security boundary
> in AD is at the forest, not the domain.
>
> Phil
>
> On 9/22/05, *Gideon Ashcraft* > wrote:
>
> The only thing to do is to make him an admin of that site, or better
> yet make that site a child domain and make him a domain admin of that
> child domain. I know from experience that using a DC as anything but a
> DC is a freakin pain in the ass, my predecessor set a DC up as a
> print/file server and another as a SQL server (finally able to demote
> that one now, soon hopefully). But my citrix profiles are on the
> domain controller, and after months of trying to set delegation up
> properly in AD and setting up permissions in the appropriate folders
> on the DC, the only way I was able to get my Helpdesk admin set up to
> create accounts with my scripts so that I didn't have to do it was to
> make him a domain admin. My company is too damn cheap to get me
> another server to put the citrix profiles somewhere else. Oh yeah, and
> its an app server for network install of office (can you feel my pain).
>
> So, if there is only one server in the site and its a DC, the only way
> to get him to do anything is to make him a domain admin (make it a
> child domain so he can't climb up the tree)
>
> Gideon Ashcraft
>
> Network Admin
>
> Screen Actors Guild
>
>
>
>
>
>
> ct: RE: [ActiveDir] Domain Controller Security
>
> Look through the archives.
>
> The short answer is... "Just don't do it". You can't possibly secure
> this regardless of what anyone says. If someone says it can be made
> safe, stop asking them technical questions about Domain Controllers
> and Active Directory.
>
> Either you trust the person or you don't. If you don't trust the
> person, then don't put the person in a position to show you the
> meaning of screwed.
>
> ----------------------------------------------------------------------
> --
>
> *From:* ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:
> ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> ] *On Behalf Of *van Donk,
> Fred
> *Sent: *Tuesday, September 20, 2005 4:52 PM
> *To:* ActiveDir@xxxxxxxxxxxxxxxxxx
>
> *Subject:* [ActiveDir] Domain Controller Security
>
> I have a contractor in a remote site. There is only 1 server in that
> site which is a DC.
>
> He needs to administer that server.
>
> -Create shares
>
> -Make file/share permissions
>
> -Change user passwords in the User OU for that site.
>
> He is not allowed to log on to any other server is the domain.
>
> When I make him a "Server Operator" he can logon to any server in the
> domain.
>
> Any idea on how to lock him down to that one server and then how to
> lock him down on that one OU where he should only be allowed to change
> the passwords of the users.
>
> Thanks!
>
> Fred
>
>
> NOTICE: The information contained in this transmission is privileged,
> confidential, and intended only for the use of the individual or
> entity named above. If you are not the intended recipient, you are
> hereby notified that any disclosure, copying, distribution, or the
> taking of any action in reliance on the contents of this transmission
> is strictly prohibited. If you have received this transmission in
> error, please notify Eze Castle Integration, Inc. by e-mail and
> destroy the original message and all copies. Thank you.
>
>
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Attachment:
smime.p7s | | | |
| davidadner
Posts:0
| | 09/23/2005 10:36 AM |
| Houston and San Antonio TAM's are, IMO, generally more technical than the
average TAM. Or, if not technical, they're much more directly involved with
their customers and know how to take care of them. Regardless, you're
always going to hear the dev/support/sales engineers bag on TAM's. There's
a pecking order that must be followed. :)
> -----Original Message-----
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Cace, Andrew
> Sent: Friday, September 23, 2005 5:21 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: RE: [ActiveDir] Domain Controller Security
>
> We have a great TAM. The guy is extremely knowledgeable on a
> wide variety of MS products. What he doesn't know, he knows
> who to get in touch with in Las Colinas to get the right
> answers fast. That's why I was shocked when I went to some
> MS training on MIIS in San Jose, and heard the technical
> people in the class bagging on TAMs and how non-technical
> they tend to be.
>
> -Andrew
>
> -----Original Message-----
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of joe
> Sent: Friday, September 23, 2005 4:37 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: RE: [ActiveDir] Domain Controller Security
>
> Which on the whole you may find to be far more helpful than
> most TAM's you might have gotten...
>
> Not trying to be mean, but I haven't had the greatest luck
> with TAMs. There have been two in ten years that I can think
> of off the top of my head that I liked (hey Efrem, hey
> Michelle) and I still beat the crap out of them when I had
> them available. Generally, IMO, a TAM is a person who tells
> you what you can't have even if they don't know what you are
> asking for.
>
> I once talked about looking into a TAM position and a high
> level MCS manager who had been trying to get me to join MS
> for I don't know how long told me (he was drunk at the time),
> hell no, you are far too technically gifted to be a TAM...
>
>
> Just a thought though mom, you guys in SBS land seem to stick
> together pretty well. I wonder if you could form a union with
> all of the SBS crazies (and I say that lovingly) and have
> dues and such and then get a joint Premier Support Account
> for all of you together and funnel issues up through it.
>
> joe
>
>
> -----Original Message-----
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
> Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
> Sent: Friday, September 23, 2005 1:45 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: Re: [ActiveDir] Domain Controller Security
>
> Us in SBSland have newsgroups and MVPs.
>
>
>
> Brian Desmond wrote:
>
> > *Technical Account Manager. When you spend ample money with MS, you
> > get one of these. I think a PSS contract is enough to have one.
> > They're sort of your MS/Customer bridge. *
> >
> > * *
> >
> > **Thanks,***
> > **Brian Desmond***
> >
> > **brian@xxxxxxxxxxxxxxxx**
> >
> > **c - 312.731.3132**
> >
> >
> ----------------------------------------------------------------------
> > --
> >
> > *From:* ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> > [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] *On Behalf Of
> *DeStefano,
> > Dan
> > *Sent:* Friday, September 23, 2005 12:26 PM
> > *To:* ActiveDir@xxxxxxxxxxxxxxxxxx
> > *Subject:* RE: [ActiveDir] Domain Controller Security
> >
> > Excuse my ignorance, but what is a TAM?
> >
> > Dan
> >
> >
> ----------------------------------------------------------------------
> > --
> >
> > *From:* ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> > [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] *On Behalf Of *ASB
> > *Sent:* Friday, September 23, 2005 5:46 AM
> > *To:* ActiveDir@xxxxxxxxxxxxxxxxxx
> > *Subject:* Re: [ActiveDir] Domain Controller Security
> >
> >>>And knowing it, I can always take extra precautions.
> >
> > The knowing it consists of "don't do it, because you can't
> secure it"
> >
> > There are no extra precautions to take. Certainly, you can increase
> > your auditing, but you could do that now without knowing
> anything else.
> >
> >>>basically, 25% more prepared and secure against this type of attack
> > is better than 0%.
> >
> > The more people that know, the higher the potential of
> attack. And, as
> > folks have pointed out, since there are no viable workarounds, it
> > doesn't help anyone to have the number of potential
> attackers increased.
> >
> > Call your TAM and see if he or she will provide enough
> details for you
> > to feel comfortable.
> >
> > -ASB
> >
> > FAST, CHEAP, SECURE: Pick Any TWO
> >
> > http://www.ultratech-llc.com/KB/
> >
> >
> > On 9/23/05, *Kamlesh Parmar* > > wrote:
> >
> > I have to disagree a bit here...
> >
> > Certainly, obscuring of information is not the way to feel secure.
> >
> > If I don't know, how it is done, then how do I know, that I will be
> > able to detect it, and trace it.
> > And knowing it, I can always take extra precautions. Which I think,
> > better than not knowing it at all.
> >
> > basically, 25% more prepared and secure against this type
> of attack is
> > better than 0%. and certainly it helps calibrate how much
> paranoid I
> > have to be. :-)
> >
> > I would like to know, how it is done, as our team is currently
> > migrating some good number of domains to single domain. And we are
> > going to give local guys rights to logon to DC for some system
> > maintenance purposes, till final single domain is cleaned up and we
> > revert back to core team for day-to-day maintenance.
> >
> > So I am very much interested in knowing it.
> >
> > On 9/23/05, *joe* >
> > wrote:
> >
> > The docs are wrong. Many of us have been hounding MS on this for
> > years. They really started straightening out docs with K3.
> Some of the
> > older 2K docs still suggest this security boundary at the
> domain. It
> > really came to a head when Lucent put out a paper on this and it
> > started getting quoted in the newsgroups and some of us just flamed
> > the crap out of it.
> >
> > No one here or anywhere should really publish how to
> exploit rights on
> > a DC to take over a forest. The answer is pretty self-evident if
> > someone understands the underpinnings and processes used in AD and
> > since we can't fully protect against it, it is better left
> > undocumented. If there was a guaranteed safe way to protect
> ourselves,
> > then we could publish that workaround and some time later
> publish the
> > issue.
> >
> > joe
> >
> >
> ----------------------------------------------------------------------
> > --
> >
> > *From:* ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> > [mailto:
> > ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> > ] *On Behalf Of
> *DeStefano,
> > Dan
> > *Sent:* Thursday, September 22, 2005 2:09 PM
> > *To:* ActiveDir@xxxxxxxxxxxxxxxxxx
> >
> > *Subject:* RE: [ActiveDir] Domain Controller Security
> >
> > I thought that in ad domains are considered security boundaries. In
> > the cert exams, namely the 70-219, they are considered as
> such. Also,
> > how would a domain admin of a child domain elevate his privileges?
> >
> > Dan
> >
> >
> ----------------------------------------------------------------------
> > --
> >
> > *From:* ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> > [mailto:
> > ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> > ] *On Behalf Of *Phil
> > Renouf
> > *Sent:* Thursday, September 22, 2005 1:28 PM
> > *To:* ActiveDir@xxxxxxxxxxxxxxxxxx
> >
> > *Subject:* Re: [ActiveDir] Domain Controller Security
> >
> > Even as a domain admin of a Child domain they will still be able to
> > munge your forest or elevate their priviledges. The
> security boundary
> > in AD is at the forest, not the domain.
> >
> > Phil
> >
> > On 9/22/05, *Gideon Ashcraft* > > wrote:
> >
> > The only thing to do is to make him an admin of that site,
> or better
> > yet make that site a child domain and make him a domain
> admin of that
> > child domain. I know from experience that using a DC as
> anything but a
> > DC is a freakin pain in the ass, my predecessor set a DC up as a
> > print/file server and another as a SQL server (finally able
> to demote
> > that one now, soon hopefully). But my citrix profiles are on the
> > domain controller, and after months of trying to set delegation up
> > properly in AD and setting up permissions in the
> appropriate folders
> > on the DC, the only way I was able to get my Helpdesk admin
> set up to
> > create accounts with my scripts so that I didn't have to do
> it was to
> > make him a domain admin. My company is too damn cheap to get me
> > another server to put the citrix profiles somewhere else.
> Oh yeah, and
> > its an app server for network install of office (can you
> feel my pain).
> >
> > So, if there is only one server in the site and its a DC,
> the only way
> > to get him to do anything is to make him a domain admin (make it a
> > child domain so he can't climb up the tree)
> >
> > Gideon Ashcraft
> >
> > Network Admin
> >
> > Screen Actors Guild
> >
> >
> >
> >
> >
> >
> > ct: RE: [ActiveDir] Domain Controller Security
> >
> > Look through the archives.
> >
> > The short answer is... "Just don't do it". You can't
> possibly secure
> > this regardless of what anyone says. If someone says it can be made
> > safe, stop asking them technical questions about Domain Controllers
> > and Active Directory.
> >
> > Either you trust the person or you don't. If you don't trust the
> > person, then don't put the person in a position to show you the
> > meaning of screwed.
> >
> >
> ----------------------------------------------------------------------
> > --
> >
> > *From:* ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> > [mailto:
> > ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> > ] *On Behalf Of
> *van Donk,
> > Fred
> > *Sent: *Tuesday, September 20, 2005 4:52 PM
> > *To:* ActiveDir@xxxxxxxxxxxxxxxxxx
> >
> > *Subject:* [ActiveDir] Domain Controller Security
> >
> > I have a contractor in a remote site. There is only 1
> server in that
> > site which is a DC.
> >
> > He needs to administer that server.
> >
> > -Create shares
> >
> > -Make file/share permissions
> >
> > -Change user passwords in the User OU for that site.
> >
> > He is not allowed to log on to any other server is the domain.
> >
> > When I make him a "Server Operator" he can logon to any
> server in the
> > domain.
> >
> > Any idea on how to lock him down to that one server and then how to
> > lock him down on that one OU where he should only be
> allowed to change
> > the passwords of the users.
> >
> > Thanks!
> >
> > Fred
> >
> >
> > NOTICE: The information contained in this transmission is
> privileged,
> > confidential, and intended only for the use of the individual or
> > entity named above. If you are not the intended recipient, you are
> > hereby notified that any disclosure, copying, distribution, or the
> > taking of any action in reliance on the contents of this
> transmission
> > is strictly prohibited. If you have received this transmission in
> > error, please notify Eze Castle Integration, Inc. by e-mail and
> > destroy the original message and all copies. Thank you.
> >
> >
> >
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| listmail
Posts:428
| | 09/23/2005 10:41 AM |
| Yep it is very hit and miss. Sort of the same with MCS and PSS folks and
honestly any consultants or support folks anywhere. There are good ones, not
so good ones, and those that couldn't get a job anywhere else.
My favorite TAM/PSS/MCS/CONSULTANT/SUPPORT folks are the ones that can
proudly say, I don't know, but I will try to find out.
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Cace, Andrew
Sent: Friday, September 23, 2005 6:21 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Domain Controller Security
We have a great TAM. The guy is extremely knowledgeable on a wide variety
of MS products. What he doesn't know, he knows who to get in touch with in
Las Colinas to get the right answers fast. That's why I was shocked when I
went to some MS training on MIIS in San Jose, and heard the technical people
in the class bagging on TAMs and how non-technical they tend to be.
-Andrew
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of joe
Sent: Friday, September 23, 2005 4:37 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Domain Controller Security
Which on the whole you may find to be far more helpful than most TAM's you
might have gotten...
Not trying to be mean, but I haven't had the greatest luck with TAMs. There
have been two in ten years that I can think of off the top of my head that I
liked (hey Efrem, hey Michelle) and I still beat the crap out of them when I
had them available. Generally, IMO, a TAM is a person who tells you what you
can't have even if they don't know what you are asking for.
I once talked about looking into a TAM position and a high level MCS manager
who had been trying to get me to join MS for I don't know how long told me
(he was drunk at the time), hell no, you are far too technically gifted to
be a TAM...
Just a thought though mom, you guys in SBS land seem to stick together
pretty well. I wonder if you could form a union with all of the SBS crazies
(and I say that lovingly) and have dues and such and then get a joint
Premier Support Account for all of you together and funnel issues up through
it.
joe
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Friday, September 23, 2005 1:45 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Domain Controller Security
Us in SBSland have newsgroups and MVPs.
Brian Desmond wrote:
> *Technical Account Manager. When you spend ample money with MS, you
> get one of these. I think a PSS contract is enough to have one.
> They're sort of your MS/Customer bridge. *
>
> * *
>
> **Thanks,***
> **Brian Desmond***
>
> **brian@xxxxxxxxxxxxxxxx**
>
> **c - 312.731.3132**
>
> ----------------------------------------------------------------------
> --
>
> *From:* ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] *On Behalf Of *DeStefano,
> Dan
> *Sent:* Friday, September 23, 2005 12:26 PM
> *To:* ActiveDir@xxxxxxxxxxxxxxxxxx
> *Subject:* RE: [ActiveDir] Domain Controller Security
>
> Excuse my ignorance, but what is a TAM?
>
> Dan
>
> ----------------------------------------------------------------------
> --
>
> *From:* ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] *On Behalf Of *ASB
> *Sent:* Friday, September 23, 2005 5:46 AM
> *To:* ActiveDir@xxxxxxxxxxxxxxxxxx
> *Subject:* Re: [ActiveDir] Domain Controller Security
>
>>>And knowing it, I can always take extra precautions.
>
> The knowing it consists of "don't do it, because you can't secure it"
>
> There are no extra precautions to take. Certainly, you can increase
> your auditing, but you could do that now without knowing anything else.
>
>>>basically, 25% more prepared and secure against this type of attack
> is better than 0%.
>
> The more people that know, the higher the potential of attack. And, as
> folks have pointed out, since there are no viable workarounds, it
> doesn't help anyone to have the number of potential attackers increased.
>
> Call your TAM and see if he or she will provide enough details for you
> to feel comfortable.
>
> -ASB
>
> FAST, CHEAP, SECURE: Pick Any TWO
>
> http://www.ultratech-llc.com/KB/
>
>
> On 9/23/05, *Kamlesh Parmar* > wrote:
>
> I have to disagree a bit here...
>
> Certainly, obscuring of information is not the way to feel secure.
>
> If I don't know, how it is done, then how do I know, that I will be
> able to detect it, and trace it.
> And knowing it, I can always take extra precautions. Which I think,
> better than not knowing it at all.
>
> basically, 25% more prepared and secure against this type of attack is
> better than 0%. and certainly it helps calibrate how much paranoid I
> have to be. :-)
>
> I would like to know, how it is done, as our team is currently
> migrating some good number of domains to single domain. And we are
> going to give local guys rights to logon to DC for some system
> maintenance purposes, till final single domain is cleaned up and we
> revert back to core team for day-to-day maintenance.
>
> So I am very much interested in knowing it.
>
> On 9/23/05, *joe* >
> wrote:
>
> The docs are wrong. Many of us have been hounding MS on this for
> years. They really started straightening out docs with K3. Some of the
> older 2K docs still suggest this security boundary at the domain. It
> really came to a head when Lucent put out a paper on this and it
> started getting quoted in the newsgroups and some of us just flamed
> the crap out of it.
>
> No one here or anywhere should really publish how to exploit rights on
> a DC to take over a forest. The answer is pretty self-evident if
> someone understands the underpinnings and processes used in AD and
> since we can't fully protect against it, it is better left
> undocumented. If there was a guaranteed safe way to protect ourselves,
> then we could publish that workaround and some time later publish the
> issue.
>
> joe
>
> ----------------------------------------------------------------------
> --
>
> *From:* ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:
> ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> ] *On Behalf Of *DeStefano,
> Dan
> *Sent:* Thursday, September 22, 2005 2:09 PM
> *To:* ActiveDir@xxxxxxxxxxxxxxxxxx
>
> *Subject:* RE: [ActiveDir] Domain Controller Security
>
> I thought that in ad domains are considered security boundaries. In
> the cert exams, namely the 70-219, they are considered as such. Also,
> how would a domain admin of a child domain elevate his privileges?
>
> Dan
>
> ----------------------------------------------------------------------
> --
>
> *From:* ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:
> ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> ] *On Behalf Of *Phil
> Renouf
> *Sent:* Thursday, September 22, 2005 1:28 PM
> *To:* ActiveDir@xxxxxxxxxxxxxxxxxx
>
> *Subject:* Re: [ActiveDir] Domain Controller Security
>
> Even as a domain admin of a Child domain they will still be able to
> munge your forest or elevate their priviledges. The security boundary
> in AD is at the forest, not the domain.
>
> Phil
>
> On 9/22/05, *Gideon Ashcraft* > wrote:
>
> The only thing to do is to make him an admin of that site, or better
> yet make that site a child domain and make him a domain admin of that
> child domain. I know from experience that using a DC as anything but a
> DC is a freakin pain in the ass, my predecessor set a DC up as a
> print/file server and another as a SQL server (finally able to demote
> that one now, soon hopefully). But my citrix profiles are on the
> domain controller, and after months of trying to set delegation up
> properly in AD and setting up permissions in the appropriate folders
> on the DC, the only way I was able to get my Helpdesk admin set up to
> create accounts with my scripts so that I didn't have to do it was to
> make him a domain admin. My company is too damn cheap to get me
> another server to put the citrix profiles somewhere else. Oh yeah, and
> its an app server for network install of office (can you feel my pain).
>
> So, if there is only one server in the site and its a DC, the only way
> to get him to do anything is to make him a domain admin (make it a
> child domain so he can't climb up the tree)
>
> Gideon Ashcraft
>
> Network Admin
>
> Screen Actors Guild
>
>
>
>
>
>
> ct: RE: [ActiveDir] Domain Controller Security
>
> Look through the archives.
>
> The short answer is... "Just don't do it". You can't possibly secure
> this regardless of what anyone says. If someone says it can be made
> safe, stop asking them technical questions about Domain Controllers
> and Active Directory.
>
> Either you trust the person or you don't. If you don't trust the
> person, then don't put the person in a position to show you the
> meaning of screwed.
>
> ----------------------------------------------------------------------
> --
>
> *From:* ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:
> ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> ] *On Behalf Of *van Donk,
> Fred
> *Sent: *Tuesday, September 20, 2005 4:52 PM
> *To:* ActiveDir@xxxxxxxxxxxxxxxxxx
>
> *Subject:* [ActiveDir] Domain Controller Security
>
> I have a contractor in a remote site. There is only 1 server in that
> site which is a DC.
>
> He needs to administer that server.
>
> -Create shares
>
> -Make file/share permissions
>
> -Change user passwords in the User OU for that site.
>
> He is not allowed to log on to any other server is the domain.
>
> When I make him a "Server Operator" he can logon to any server in the
> domain.
>
> Any idea on how to lock him down to that one server and then how to
> lock him down on that one OU where he should only be allowed to change
> the passwords of the users.
>
> Thanks!
>
> Fred
>
>
> NOTICE: The information contained in this transmission is privileged,
> confidential, and intended only for the use of the individual or
> entity named above. If you are not the intended recipient, you are
> hereby notified that any disclosure, copying, distribution, or the
> taking of any action in reliance on the contents of this transmission
> is strictly prohibited. If you have received this transmission in
> error, please notify Eze Castle Integration, Inc. by e-mail and
> destroy the original message and all copies. Thank you.
>
>
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| kamleshap
Posts:26
| | 09/23/2005 11:13 AM |
| On 9/23/05, ASB wrote:
>>And knowing it, I can always take extra precautions.
The knowing it consists of "don't do it, because you can't secure it"
There are no extra precautions to take. Certainly, you can increase your auditing, but you could do that now without knowing anything else.
>>basically, 25% more prepared and secure against this type of attack is better than 0%.
The more people that know, the higher the potential of attack. And, as folks have pointed out, since there are no viable workarounds, it doesn't help anyone to have the number of potential attackers increased.
Call your TAM and see if he or she will provide enough details for you to feel comfortable.
-ASB
FAST, CHEAP, SECURE: Pick Any TWO
http://www.ultratech-llc.com/KB/
On 9/23/05, Kamlesh Parmar wrote:
I have to disagree a bit here...
Certainly, obscuring of information is not the way to feel secure.
If I don't know, how it is done, then how do I know, that I will be able to detect it, and trace it.And knowing it, I can always take extra precautions. Which I think, better than not knowing it at all.
basically, 25% more prepared and secure against this type of attack is better than 0%. and certainly it helps calibrate how much paranoid I have to be. :-)
I would like to know, how it is done, as our team is currently migrating some good number of domains to single domain. And we are going to give local guys rights to logon to DC for some system maintenance purposes, till final single domain is cleaned up and we revert back to core team for day-to-day maintenance.
So I am very much interested in knowing it.
On 9/23/05, joe wrote:
The docs are wrong. Many of us have been hounding MS on this for years. They really started straightening out docs with K3. Some of the older 2K docs still suggest this security boundary at the domain. It really came to a head when Lucent put out a paper on this and it started getting quoted in the newsgroups and some of us just flamed the crap out of it.
No one here or anywhere should really publish how to exploit rights on a DC to take over a forest. The answer is pretty self-evident if someone understands the underpinnings and processes used in AD and since we can't fully protect against it, it is better left undocumented. If there was a guaranteed safe way to protect ourselves, then we could publish that workaround and some time later publish the issue.
joe
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of DeStefano, DanSent: Thursday, September 22, 2005 2:09 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Domain Controller Security
I thought that in ad domains are considered security boundaries. In the cert exams, namely the 70-219, they are considered as such. Also, how would a domain admin of a child domain elevate his privileges?
Dan
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Phil RenoufSent: Thursday, September 22, 2005 1:28 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxxSubject:
Re: [ActiveDir] Domain Controller Security
Even as a domain admin of a Child domain they will still be able to munge your forest or elevate their priviledges. The security boundary in AD is at the forest, not the domain.
Phil
On 9/22/05, Gideon Ashcraft wrote:
The only thing to do is to make him an admin of that site, or better yet make that site a child domain and make him a domain admin of that child domain. I know from experience that using a DC as anything but a DC is a freakin pain in the ass, my predecessor set a DC up as a print/file server and another as a SQL server (finally able to demote that one now, soon hopefully). But my citrix profiles are on the domain controller, and after months of trying to set delegation up properly in AD and setting up permissions in the appropriate folders on the DC, the only way I was able to get my Helpdesk admin set up to create accounts with my scripts so that I didn't have to do it was to make him a domain admin. My company is too damn cheap to get me another server to put the citrix profiles somewhere else. Oh yeah, and its an app server for network install of office (can you feel my pain).
So, if there is only one server in the site and its a DC, the only way to get him to do anything is to make him a domain admin (make it a child domain so he can't climb up the tree)
Gideon Ashcraft
Network Admin
Screen Actors Guildct: RE: [ActiveDir] Domain Controller Security
Look through the archives.
The short answer is... "Just don't do it". You can't possibly secure this regardless of what anyone says. If someone says it can be made safe, stop asking them technical questions about Domain Controllers and Active Directory.
Either you trust the person or you don't. If you don't trust the person, then don't put the person in a position to show you the meaning of screwed.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of van Donk, FredSent: Tuesday, September 20, 2005 4:52 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxxSubject:
[ActiveDir] Domain Controller Security
I have a contractor in a remote site. There is only 1 server in that site which is a DC.
He needs to administer that server.
-Create shares
-Make file/share permissions
-Change user passwords in the User OU for that site.
He is not allowed to log on to any other server is the domain.
When I make him a "Server Operator" he can logon to any server in the domain.
Any idea on how to lock him down to that one server and then how to lock him down on that one OU where he should only be allowed to change the passwords of the users.
Thanks!
Fred
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~"Fortune and Love befriend the bold"
~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | |
| AD000001290
Posts:0
| | 09/23/2005 11:26 AM |
| Why
not draw an analogy with viruses and malicious code. You'll happily protect
yourself against potential issues and loopholes without understanding how the
viruses take advantage of those loopholes and make their way into your
environment.
The
arguments outlined below are similar. It is not important how the attack is
made, but rather that it is *possible* if you grant a user physical access to a
DC. Your TAM, I suspect, will tell you that if you grant access to a DC to a
user, then "all bets are off". i.e. Don't expect the OS to protect you from
that user since you just gave him the keys to the forest. You may trust him to
not do anything untoward, but that's not the point. If he/she has access to a
DC, then he/she has absolute (potential) control over the
forest.
neil
___________________________ Neil Ruston Global Technical Infrastructure Nomura International plc Telephone: +44 (0) 20 7521 3481
-----Original Message-----From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On Behalf Of Kamlesh
ParmarSent: 23 September 2005 12:12To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] Domain
Controller Security
As I mentioned It's not possible for me to not allow local site
guys to login locally to DC, at least for a small period, till we
automate most of the system maintenance like sysstate backup and AV updates
check etc.. And I am not saying that we don't trust them, They have physical
access to DC, so if they want to, they can become the enterprise
admin through hacks available on net. (which we counter by extensive physical
security).
What surprised me, is possibility of remote compromise
using normal user local login, which can be
extended through terminal services.
I have extensive auditing enabled. And I am
daily monitoring the group membership changes for enterprise admins,
schema admins, domain admins, server operators, backup operators,
etc.
as far as I know, that would be the first thing, unauthorised access
will try to do, i.e. elevate their rights within system.
Is this sufficient? is there any other attack symptom, I should be
monitoring DAILY?
I have already raised the concern with our ADS migration PM, and to get
more info from our TAM.
But, if I just ask him, what is the possibility of AD compromise in case
of normal user local login onto DC? I guess TAM is likely to play down
the threat.
I understand, experts' concern for not even talking about it in
forum, in interests of community,
as we don't know the intent of every subscriber.
but I do feel, "this is a big issue, easily exploitable with
little workaround to thwart it."
You know, guys this has increased the priority for me to automate the
maintenance stuff on urgency and remove the rights for local login on DCs. It
will be hard for me to explain to them, why I am doing it, as I have very
little facts. :(
On 9/23/05, ASB
wrote:
>>And knowing it, I can always take extra precautions.
The knowing it consists of "don't do it, because you can't secure
it"
There are no extra precautions to take. Certainly, you can
increase your auditing, but you could do that now without knowing anything
else.
>>basically, 25% more prepared and secure against this type of
attack is better than 0%.
The more people that know, the higher the potential of
attack. And, as folks have pointed out, since there are no
viable workarounds, it doesn't help anyone to have the number of potential
attackers increased.
Call your TAM and see if he or she will provide enough details for you
to feel comfortable.
-ASB
FAST, CHEAP, SECURE: Pick Any TWO
http://www.ultratech-llc.com/KB/
On 9/23/05, Kamlesh
Parmar kamleshap@xxxxxxxxx >
wrote:
I have to disagree a bit here...
Certainly, obscuring of information is not the way to
feel secure.
If I don't know, how it is done, then how do I know, that I will be
able to detect it, and trace it.And knowing it, I can always take
extra precautions. Which I think, better than not knowing it at all.
basically, 25% more prepared and secure against this type of attack
is better than 0%. and certainly it helps calibrate how much paranoid I
have to be. :-)
I would like to know, how it is done, as our team is currently
migrating some good number of domains to single domain. And we
are going to give local guys rights to logon to DC for some system
maintenance purposes, till final single domain is cleaned up and we revert
back to core team for day-to-day maintenance.
So I am very much interested in knowing it.
On 9/23/05, joe
listmail@xxxxxxxxxxx> wrote:
The
docs are wrong. Many of us have been hounding MS on this for years. They
really started straightening out docs with K3. Some of the older 2K docs
still suggest this security boundary at the domain. It really came to a
head when Lucent put out a paper on this and it started getting quoted
in the newsgroups and some of us just flamed the crap out of it.
No
one here or anywhere should really publish how to exploit rights on a DC
to take over a forest. The answer is pretty self-evident if someone
understands the underpinnings and processes used in AD and since we
can't fully protect against it, it is better left
undocumented. If there was a guaranteed safe way to protect ourselves,
then we could publish that workaround and some time later publish
the issue.
joe
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of DeStefano,
DanSent: Thursday, September 22, 2005 2:09
PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject:
RE: [ActiveDir] Domain Controller Security
I thought that
in ad domains are considered security boundaries. In the cert exams,
namely the 70-219, they are considered as such. Also, how would a domain
admin of a child domain elevate his privileges?
Dan
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Phil
RenoufSent: Thursday,
September 22, 2005 1:28 PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] Domain
Controller Security
Even as a domain admin of a Child domain they
will still be able to munge your forest or elevate their priviledges.
The security boundary in AD is at the forest, not the domain.
Phil
On 9/22/05, Gideon Ashcraft
gideona@xxxxxxxxxxxxx> wrote:
The only thing to do is to make him an admin of
that site, or better yet make that site a child domain and make him a
domain admin of that child domain. I know from experience that using a
DC as anything but a DC is a freakin pain in the ass, my predecessor set
a DC up as a print/file server and another as a SQL server (finally able
to demote that one now, soon hopefully). But my citrix profiles are on
the domain controller, and after months of trying to set delegation up
properly in AD and setting up permissions in the appropriate folders on
the DC, the only way I was able to get my Helpdesk admin set up to
create accounts with my scripts so that I didn't have to do it was to
make him a domain admin. My company is too damn cheap to get me another
server to put the citrix profiles somewhere else. Oh yeah, and its an
app server for network install of office (can you feel my pain).
So, if there is only one server in the site
and its a DC, the only way to get him to do anything is to make him a
domain admin (make it a child domain so he can't climb up the tree)
Gideon Ashcraft
Network Admin
Screen
Actors Guildct: RE: [ActiveDir] Domain
Controller Security
Look through
the archives.
The short
answer is... "Just don't do it". You can't possibly secure this
regardless of what anyone says. If someone says it can be made safe,
stop asking them technical questions about Domain Controllers and Active
Directory.
Either you
trust the person or you don't. If you don't trust the person, then don't
put the person in a position to show you the meaning of screwed.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of van Donk,
FredSent: Tuesday,
September 20, 2005 4:52 PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] Domain
Controller Security
I have a contractor in a
remote site. There is only 1 server in that site which is a
DC.
He needs to administer that
server.
-Create
shares
-Make file/share
permissions
-Change user passwords in
the User OU for that site.
He is not allowed to log on
to any other server is the domain.
When I make him a "Server
Operator" he can logon to any server in the
domain.
Any idea on how to lock him
down to that one server and then how to lock him down on that one OU
where he should only be allowed to change the passwords of the users.
Thanks!
Fred
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~"Fortune and Love befriend
the bold" ~~~~~~~~~~~~~~~~~~~~~~~~~~~PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies. | | | |
| prenouf
Posts:1
| | 09/23/2005 12:33 PM |
| I know thats not what you were trying to say ASB, just making sure that no one was expecting to get that information from their TAM.
Phil
On 9/23/05, ASB wrote:
>>And knowing it, I can always take extra precautions.
The knowing it consists of "don't do it, because you can't secure it"
There are no extra precautions to take. Certainly, you can increase your auditing, but you could do that now without knowing anything else.
>>basically, 25% more prepared and secure against this type of attack is better than 0%.
The more people that know, the higher the potential of attack. And, as folks have pointed out, since there are no viable workarounds, it doesn't help anyone to have the number of potential attackers increased.
Call your TAM and see if he or she will provide enough details for you to feel comfortable.
-ASB
FAST, CHEAP, SECURE: Pick Any TWO
http://www.ultratech-llc.com/KB/
On 9/23/05, Kamlesh Parmar wrote:
I have to disagree a bit here...
Certainly, obscuring of information is not the way to feel secure.
If I don't know, how it is done, then how do I know, that I will be able to detect it, and trace it.And knowing it, I can always take extra precautions. Which I think, better than not knowing it at all.
basically, 25% more prepared and secure against this type of attack is better than 0%. and certainly it helps calibrate how much paranoid I have to be. :-)
I would like to know, how it is done, as our team is currently migrating some good number of domains to single domain. And we are going to give local guys rights to logon to DC for some system maintenance purposes, till final single domain is cleaned up and we revert back to core team for day-to-day maintenance.
So I am very much interested in knowing it.
On 9/23/05, joe wrote:
The docs are wrong. Many of us have been hounding MS on this for years. They really started straightening out docs with K3. Some of the older 2K docs still suggest this security boundary at the domain. It really came to a head when Lucent put out a paper on this and it started getting quoted in the newsgroups and some of us just flamed the crap out of it.
No one here or anywhere should really publish how to exploit rights on a DC to take over a forest. The answer is pretty self-evident if someone understands the underpinnings and processes used in AD and since we can't fully protect against it, it is better left undocumented. If there was a guaranteed safe way to protect ourselves, then we could publish that workaround and some time later publish the issue.
joe
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of DeStefano, DanSent: Thursday, September 22, 2005 2:09 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Domain Controller Security
I thought that in ad domains are considered security boundaries. In the cert exams, namely the 70-219, they are considered as such. Also, how would a domain admin of a child domain elevate his privileges?
Dan
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Phil RenoufSent: Thursday, September 22, 2005 1:28 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxxSubject:
Re: [ActiveDir] Domain Controller Security
Even as a domain admin of a Child domain they will still be able to munge your forest or elevate their priviledges. The security boundary in AD is at the forest, not the domain.
Phil
On 9/22/05, Gideon Ashcraft wrote:
The only thing to do is to make him an admin of that site, or better yet make that site a child domain and make him a domain admin of that child domain. I know from experience that using a DC as anything but a DC is a freakin pain in the ass, my predecessor set a DC up as a print/file server and another as a SQL server (finally able to demote that one now, soon hopefully). But my citrix profiles are on the domain controller, and after months of trying to set delegation up properly in AD and setting up permissions in the appropriate folders on the DC, the only way I was able to get my Helpdesk admin set up to create accounts with my scripts so that I didn't have to do it was to make him a domain admin. My company is too damn cheap to get me another server to put the citrix profiles somewhere else. Oh yeah, and its an app server for network install of office (can you feel my pain).
So, if there is only one server in the site and its a DC, the only way to get him to do anything is to make him a domain admin (make it a child domain so he can't climb up the tree)
Gideon Ashcraft
Network Admin
Screen Actors Guildct: RE: [ActiveDir] Domain Controller Security
Look through the archives.
The short answer is... "Just don't do it". You can't possibly secure this regardless of what anyone says. If someone says it can be made safe, stop asking them technical questions about Domain Controllers and Active Directory.
Either you trust the person or you don't. If you don't trust the person, then don't put the person in a position to show you the meaning of screwed.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of van Donk, FredSent: Tuesday, September 20, 2005 4:52 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxxSubject:
[ActiveDir] Domain Controller Security
I have a contractor in a remote site. There is only 1 server in that site which is a DC.
He needs to administer that server.
-Create shares
-Make file/share permissions
-Change user passwords in the User OU for that site.
He is not allowed to log on to any other server is the domain.
When I make him a "Server Operator" he can logon to any server in the domain.
Any idea on how to lock him down to that one server and then how to lock him down on that one OU where he should only be allowed to change the passwords of the users.
Thanks!
Fred | | | |
| AD00000900
Posts:0
| | 09/24/2005 7:21 AM |
| That's really what a TAM's job is. They're supposed to be advocates for
their customer within Microoft. If they're not beatting down (virtual) doors
within MS to get issues resolved for their customer, they're failing at what
they get paid to do...
--------
Roger Seielstad
E-mail Geek
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of joe
Sent: Friday, September 23, 2005 3:41 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Domain Controller Security
Yep it is very hit and miss. Sort of the same with MCS and PSS folks and
honestly any consultants or support folks anywhere. There are good ones, not
so good ones, and those that couldn't get a job anywhere else.
My favorite TAM/PSS/MCS/CONSULTANT/SUPPORT folks are the ones that can
proudly say, I don't know, but I will try to find out.
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Cace, Andrew
Sent: Friday, September 23, 2005 6:21 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Domain Controller Security
We have a great TAM. The guy is extremely knowledgeable on a wide variety
of MS products. What he doesn't know, he knows who to get in touch with in
Las Colinas to get the right answers fast. That's why I was shocked when I
went to some MS training on MIIS in San Jose, and heard the technical people
in the class bagging on TAMs and how non-technical they tend to be.
-Andrew
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of joe
Sent: Friday, September 23, 2005 4:37 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Domain Controller Security
Which on the whole you may find to be far more helpful than most TAM's you
might have gotten...
Not trying to be mean, but I haven't had the greatest luck with TAMs. There
have been two in ten years that I can think of off the top of my head that I
liked (hey Efrem, hey Michelle) and I still beat the crap out of them when I
had them available. Generally, IMO, a TAM is a person who tells you what you
can't have even if they don't know what you are asking for.
I once talked about looking into a TAM position and a high level MCS manager
who had been trying to get me to join MS for I don't know how long told me
(he was drunk at the time), hell no, you are far too technically gifted to
be a TAM...
Just a thought though mom, you guys in SBS land seem to stick together
pretty well. I wonder if you could form a union with all of the SBS crazies
(and I say that lovingly) and have dues and such and then get a joint
Premier Support Account for all of you together and funnel issues up through
it.
joe
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Friday, September 23, 2005 1:45 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Domain Controller Security
Us in SBSland have newsgroups and MVPs.
Brian Desmond wrote:
> *Technical Account Manager. When you spend ample money with MS, you
> get one of these. I think a PSS contract is enough to have one.
> They're sort of your MS/Customer bridge. *
>
> * *
>
> **Thanks,***
> **Brian Desmond***
>
> **brian@xxxxxxxxxxxxxxxx**
>
> **c - 312.731.3132**
>
> ----------------------------------------------------------------------
> --
>
> *From:* ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] *On Behalf Of *DeStefano,
> Dan
> *Sent:* Friday, September 23, 2005 12:26 PM
> *To:* ActiveDir@xxxxxxxxxxxxxxxxxx
> *Subject:* RE: [ActiveDir] Domain Controller Security
>
> Excuse my ignorance, but what is a TAM?
>
> Dan
>
> ----------------------------------------------------------------------
> --
>
> *From:* ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] *On Behalf Of *ASB
> *Sent:* Friday, September 23, 2005 5:46 AM
> *To:* ActiveDir@xxxxxxxxxxxxxxxxxx
> *Subject:* Re: [ActiveDir] Domain Controller Security
>
>>>And knowing it, I can always take extra precautions.
>
> The knowing it consists of "don't do it, because you can't secure it"
>
> There are no extra precautions to take. Certainly, you can increase
> your auditing, but you could do that now without knowing anything else.
>
>>>basically, 25% more prepared and secure against this type of attack
> is better than 0%.
>
> The more people that know, the higher the potential of attack. And, as
> folks have pointed out, since there are no viable workarounds, it
> doesn't help anyone to have the number of potential attackers increased.
>
> Call your TAM and see if he or she will provide enough details for you
> to feel comfortable.
>
> -ASB
>
> FAST, CHEAP, SECURE: Pick Any TWO
>
> http://www.ultratech-llc.com/KB/
>
>
> On 9/23/05, *Kamlesh Parmar* > wrote:
>
> I have to disagree a bit here...
>
> Certainly, obscuring of information is not the way to feel secure.
>
> If I don't know, how it is done, then how do I know, that I will be
> able to detect it, and trace it.
> And knowing it, I can always take extra precautions. Which I think,
> better than not knowing it at all.
>< |
|
|