Domain Controller Security

  • 4.2K Views
  • Last Post 16 April 2018
fvandonk posted this 20 September 2005

I have a contractor
in a remote site. There is only 1 server in that site which is a
DC.
 
He needs to
administer that server.
-Create
shares
-Make file/share
permissions
-Change user
passwords in the User OU for that site.
 
He is not allowed to
log on to any other server is the domain.
 
When I make him a
"Server Operator" he can logon to any server in the domain.
 
Any idea on how to
lock him down to that one server and then how to lock him down on that one OU
where he should only be allowed to change the passwords of the
users.
 
Thanks!
Fred

Order By: Standard | Newest | Votes
kamleshap posted this 21 September 2005

For changing NTFS permission, directly give him FULL CONTROL rights over a particular folder, and ask him to create everything inside that.
 
3) restricting to specific OU
You can use delegation wizard in ADUC console to give his user id rights to manage that OU.
 
Kamlesh-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~"Fortune and Love befriend the bold"~~~~~~~~~~~~~~~~~~~~~~~~~~~ 

show

hcoleman posted this 21 September 2005

Fred-
 
This is not possible. While you can make it more difficult
for the user to do things you don't want him to, if you give him either physical
access to the DC or the ability to log on to the DC, he is in a position to
elevate his permissions to the point of owning your forest.
 
If you can move the files and shares to another machine,
then restricting him to only be able to change passwords within a particular OU
is easy by either setting the OU security directly or going through the
Delegation of Control Wizard.
 
Hunter

show

kamleshap posted this 21 September 2005

Ultimately, choice is yours, as well the consequences. 
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~"Fortune and Love befriend the bold"~~~~~~~~~~~~~~~~~~~~~~~~~~~

show

abaker posted this 21 September 2005

That sounds dangerous.

If you give him access to that server, particularly local logon
access, you might as well just put him in the Enterprise Admin group
and save both of you a few moments of work.
-ASB
FAST, CHEAP, SECURE: Pick Any TWO
http://www.ultratech-llc.com/KB/

show

listmail posted this 22 September 2005

Look through the archives.
 
The short answer is... "Just don't do it". You can't
possibly secure this regardless of what anyone says. If someone says it can be
made safe, stop asking them technical questions about Domain Controllers and
Active Directory.
 
Either you trust the person or you don't. If you don't
trust the person, then don't put the person in a position to show you the
meaning of screwed.

show

fvandonk posted this 22 September 2005

Thanks all for your replies. Joe: I got you loud and clear
and agree.

show

prenouf posted this 22 September 2005

As joe just said: don't do this.
 
Phil 

show

gideona posted this 22 September 2005

The only thing to do is to make him an admin of that site, or better yet make that site a child domain and make him a domain admin of that child domain. I know from experience that using a DC as anything but a DC is a freakin pain in the ass, my predecessor set a DC up as a print/file server and another as a SQL server (finally able to demote that one now, soon hopefully). But my citrix profiles are on the domain controller, and after months of trying to set delegation up properly in AD and setting up permissions in the appropriate folders on the DC, the only way I was able to get my Helpdesk admin set up to create accounts with my scripts so that I didn't have to do it was to make him a domain admin. My company is too damn cheap to get me another server to put the citrix profiles somewhere else. Oh yeah, and its an app server for network install of office (can you feel my pain).
 
So, if there is only one server in the site and its a DC, the only way to get him to do anything is to make him a domain admin (make it a child domain so he can't climb up the tree)
 
Gideon Ashcraft
Network Admin
Screen Actors Guildct: RE: [ActiveDir] Domain Controller Security
Look through the archives.
 
The short answer is... "Just don't do it". You can't possibly secure this regardless of what anyone says. If someone says it can be made safe, stop asking them technical questions about Domain Controllers and Active Directory.
 
Either you trust the person or you don't. If you don't trust the person, then don't put the person in a position to show you the meaning of screwed.

show

aricbernard posted this 22 September 2005

Allow me to logon to any DC in any domain
and I will own your entire Forest.

 

Allow me access to the console of any DC
in any domain (assuming I can use a USB port or floppy drive) even without an
account that allows me to logon locally and I will own your entire Forest.

 

The point, as Joe so eloquently phrased
it, is Just don™t do it!  The forest is the security
boundary, and if someone can compromise a single DC regardless of domain they
can own your forest.
Aric

show

prenouf posted this 22 September 2005

The only thing to do is to make him an admin of that site, or better yet make that site a child domain and make him a domain admin of that child domain. I know from experience that using a DC as anything but a DC is a freakin pain in the ass, my predecessor set a DC up as a print/file server and another as a SQL server (finally able to demote that one now, soon hopefully). But my citrix profiles are on the domain controller, and after months of trying to set delegation up properly in AD and setting up permissions in the appropriate folders on the DC, the only way I was able to get my Helpdesk admin set up to create accounts with my scripts so that I didn't have to do it was to make him a domain admin. My company is too damn cheap to get me another server to put the citrix profiles somewhere else. Oh yeah, and its an app server for network install of office (can you feel my pain).

 
So, if there is only one server in the site and its a DC, the only way to get him to do anything is to make him a domain admin (make it a child domain so he can't climb up the tree)
 
Gideon Ashcraft
Network Admin
Screen Actors Guildct: RE: [ActiveDir] Domain Controller Security
Look through the archives.
 
The short answer is... "Just don't do it". You can't possibly secure this regardless of what anyone says. If someone says it can be made safe, stop asking them technical questions about Domain Controllers and Active Directory.

 
Either you trust the person or you don't. If you don't trust the person, then don't put the person in a position to show you the meaning of screwed.

show

deji posted this 22 September 2005

make it a child domain so he can't climb up the tree

Not only will (s)he be able to run up the tree, (s)he will own the tree, the
leaves, the bushes, the grasses, and, for that matter, the forest.

The Domain is NOT a security boundary. It is an administrative boundary.
Service administrators have the ability to cross domain boundaries within a
forest.

show

ddeStefano1 posted this 22 September 2005

I thought that in ad domains are
considered security boundaries. In the cert exams, namely the 70-219, they are
considered as such. Also, how would a domain admin of a child domain elevate
his privileges?

 

 

Dan

show

mike.hutchins posted this 22 September 2005

Wrongo...
...snip
Active Directory uses
domains and forests to represent the logical structure of the directory
hierarchy. Domains are used to manage the various populations of users,
computers, and network resources in your enterprise. The forest represents the
security boundary for Active Directory. Within domains you can create
organizational units to subdivide the various divisions of
administration
snip...
 
link to actual
doc
 
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/6f8a7c80-45fc-4916-80d9-16e6d46241f9.mspx
 
(mind if it wraps)

show

mike.hutchins posted this 22 September 2005

Oh, and as for how, easy, but I won't tell
here...

show

listmail posted this 22 September 2005

The docs are wrong. Many of us have been hounding MS on
this for years. They really started straightening out docs with K3. Some of the
older 2K docs still suggest this security boundary at the domain. It really came
to a head when Lucent put out a paper on this and it started getting quoted in
the newsgroups and some of us just flamed the crap out of it.

 
No one here or anywhere should really publish how to
exploit rights on a DC to take over a forest. The answer is pretty self-evident
if someone understands the underpinnings and processes used in AD and since we
can't fully protect against it, it is better left undocumented. If
there was a guaranteed safe way to protect ourselves, then we could publish
that workaround and some time later publish the issue.
 
  joe 

show

Mark.H.Lunsford posted this 22 September 2005

You might consider a lower level OU
under the Domain Controllers OU with a different GPO that grants him local
logon to just that DC.

Thank You ! And have a nice day !

*******************
Mark Lunsford
KAISER PERMANENTE
Security Operations
Remedy Group: NOPS SECURITY EDOS SYS
Direct Manager: Bud Furrow
Email: Mark.H.Lunsford@xxxxxx
Outside Phone: 925-926-5898
Tie Line Phone: 8-473-5898
C ell: 925-200-4077
*******************


"Gil Kirkpatrick"

show

prenouf posted this 22 September 2005

I don't think anyone is going to get into how privilege escalation can be done, I know I certainly won't get into it other than to make people aware that it is possible.
 
Phil 

show

al_maurer posted this 22 September 2005

Most of the answers to Fred™s
business need deal with the security issue of the domain: valid, certainly, but
if the contractor really has a need to access files & shares, how would he
do it?  Seems this DC is the sole site server and acting as a file server in
addition to it™s DC duties.

 

Short of buying another server, an idea I
read about on this list was to install vm software and run the file services as
a virtual server.  Anybody tried that?

 

And in the 3k R2 world, if that DC were a caching-only
DC, does that change the situation?

 

AL

Al Maurer
Service
Manager, Naming and Authentication Services
IT
| Information Technology

Agilent
Technologies
(719)
590-2639; Telnet 590-2639
http://activedirectory.it.agilent.com
---------------------------------------------- 
"Cry
'Havoc!' and let slip the dogs of war"  - Anthony, in Julius Caesar
III i. 

show

Gil posted this 22 September 2005

See, for instance, the demo Guido did in the security
workshop with Sanjay at DEC last year.
 
-g

show

ddeStefano1 posted this 22 September 2005

Thanks, I actually found and read that
after sending that last post.

 

 

Dan

show

Show More Posts
Close