| Author | Messages | |
MarcusOh
Posts:14
 | | 06/18/2009 1:05 PM |
| Anyone have any information on why exactly Authenticated Users w/ Create Child Objects has permissions to domain zones by default?
I'm trying to figure out if there's a better way to do this. I presume it's so that computers (or dhcp) can register records. Would it not be possible to achieve this through some other series of security combinations without granting something as loose as AU to this?
TIA -
--
::marcus
P printing this email is bad for your feng shui.
| | | |
| deji
Posts:259
| | 06/18/2009 6:08 PM |
| I think you correctly interpreted the intended use. Knowing that, what other mechanism would you rather use? I think the AU group is convenient (IMO) in that SecPrins that have already been validated by your authentication mechanisms should (by inference) be allowed to read and update their own properties.
If your fear is that the AU will allow SecPrinA to update SecPrinB's properties, I don't think you need to worry too much about that - AFAIK, it will not be a trivial exercise to do so.
If your fear is that the AU's ability to create child objects will also allow it to create too many objects, AD quotas is your friend.
You may have other concerns I have not thought about - so, let's hear it.
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
www.akomolafe.name<http://www.akomolafe.name/> - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
________________________________
From: activedir-owner@mail.activedir.org [activedir-owner@mail.activedir.org] On Behalf Of Marcus.Oh@cox.com [Marcus.Oh@cox.com]
Sent: Thursday, June 18, 2009 5:03 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] DNS - Authenticated Users
Anyone have any information on why exactly Authenticated Users w/ Create Child Objects has permissions to domain zones by default?
I’m trying to figure out if there’s a better way to do this. I presume it’s so that computers (or dhcp) can register records. Would it not be possible to achieve this through some other series of security combinations without granting something as loose as AU to this?
TIA -
--
::marcus
P printing this email is bad for your feng shui.
| | | |
| MarcusOh
Posts:14
| | 06/19/2009 1:33 PM |
| That sums it up pretty well, except that as far as I can tell, it also allows a user to create any hostname inside of the domain zone. Anyone who is authenticated could potentially strike up some additional hostnames that closely match an intranet site or something and direct them to a different set of IPs. I haven't personally run into the issue, but always thought it was pretty strange...
--
::marcus
printing this email is bad for your feng shui.
-----Original Message-----
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Akomolafe, Deji
Sent: Thursday, June 18, 2009 1:08 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] DNS - Authenticated Users
I think you correctly interpreted the intended use. Knowing that, what other mechanism would you rather use? I think the AU group is convenient (IMO) in that SecPrins that have already been validated by your authentication mechanisms should (by inference) be allowed to read and update their own properties.
If your fear is that the AU will allow SecPrinA to update SecPrinB's properties, I don't think you need to worry too much about that - AFAIK, it will not be a trivial exercise to do so.
If your fear is that the AU's ability to create child objects will also allow it to create too many objects, AD quotas is your friend.
You may have other concerns I have not thought about - so, let's hear it.
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
www.akomolafe.name<http://www.akomolafe.name/> - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
________________________________
From: activedir-owner@mail.activedir.org [activedir-owner@mail.activedir.org] On Behalf Of Marcus.Oh@cox.com [Marcus.Oh@cox.com]
Sent: Thursday, June 18, 2009 5:03 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] DNS - Authenticated Users
Anyone have any information on why exactly Authenticated Users w/ Create Child Objects has permissions to domain zones by default?
I’m trying to figure out if there’s a better way to do this. I presume it’s so that computers (or dhcp) can register records. Would it not be possible to achieve this through some other series of security combinations without granting something as loose as AU to this?
TIA -
--
::marcus
P printing this email is bad for your feng shui.
| | | |
| MarcusOh
Posts:14
| | 06/23/2009 7:55 PM |
| Sorry about the late reply, Deji.
I don't think it'd take much more than a little bit of knowledge. All records are capable of being read by any host. To be malicious, if I were a disgruntled employee, all I'd have to do is insert a bad record to cause a RR condition on an existing host, right? Not that I have any reason to believe that there are untrustworthy users where I work, but I'm not oblivious to the possibility.  Am I thinking it's simpler than it actually is?
Thanks for the response!
--
::marcus
printing this email is bad for your feng shui.
-----Original Message-----
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Akomolafe, Deji
Sent: Friday, June 19, 2009 2:32 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] DNS - Authenticated Users
The potential for internal (trusted) users to pollute the directory is always a concern, but as in most things layer-8, there is not much technological fix.
In your scenario, though, a number of things will have to align almost perfectly for the polluter (or "attacker") to exploit this "vulnerability". (S)he will not only need the ability to directly write to the partition in question (remember that the computers are usually the ones doing their own updates), because DNS console or DNSCMD won't allow that. Then (S)he will have to craft the hostname (record) to match a legitimate record closely AND then pray that when a user fat-fingers the hostname they are looking for, the crazy finger will land on the exact (malicious) one that (S)he had inserted into the zone. Or (S)he will have to entice/fool the user into going to the malicious pointer. Or .... yeah, you get the point.
Not saying it's not possible. Just saying that so many defenses have been by-passed at this point that it'd be incorrect to blame AU permission on DNS zone for the mishap. The first breach is having an untrustworthy "trusted" user inside your network - talk about Trojan Horses.
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
www.akomolafe.name - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
________________________________________
From: activedir-owner@mail.activedir.org [activedir-owner@mail.activedir.org] On Behalf Of Marcus.Oh@cox.com [Marcus.Oh@cox.com]
Sent: Friday, June 19, 2009 5:32 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] DNS - Authenticated Users
That sums it up pretty well, except that as far as I can tell, it also allows a user to create any hostname inside of the domain zone. Anyone who is authenticated could potentially strike up some additional hostnames that closely match an intranet site or something and direct them to a different set of IPs. I haven't personally run into the issue, but always thought it was pretty strange...
--
::marcus
printing this email is bad for your feng shui.
-----Original Message-----
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Akomolafe, Deji
Sent: Thursday, June 18, 2009 1:08 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] DNS - Authenticated Users
I think you correctly interpreted the intended use. Knowing that, what other mechanism would you rather use? I think the AU group is convenient (IMO) in that SecPrins that have already been validated by your authentication mechanisms should (by inference) be allowed to read and update their own properties.
If your fear is that the AU will allow SecPrinA to update SecPrinB's properties, I don't think you need to worry too much about that - AFAIK, it will not be a trivial exercise to do so.
If your fear is that the AU's ability to create child objects will also allow it to create too many objects, AD quotas is your friend.
You may have other concerns I have not thought about - so, let's hear it.
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
www.akomolafe.name<http://www.akomolafe.name/> - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
________________________________
From: activedir-owner@mail.activedir.org [activedir-owner@mail.activedir.org] On Behalf Of Marcus.Oh@cox.com [Marcus.Oh@cox.com]
Sent: Thursday, June 18, 2009 5:03 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] DNS - Authenticated Users
Anyone have any information on why exactly Authenticated Users w/ Create Child Objects has permissions to domain zones by default?
I’m trying to figure out if there’s a better way to do this. I presume it’s so that computers (or dhcp) can register records. Would it not be possible to achieve this through some other series of security combinations without granting something as loose as AU to this?
TIA -
--
::marcus
P printing this email is bad for your feng shui.
| | | |
|
|