Excellent info! Keep this stuff coming.
I also use the GPO to enforce group memberships as well as some registry tips. I plan to write a story on my Blog soon that talks about this information. I will send you the URL when the blog starts to take shape. Todd -----Original Message----- From: Darren Mar-Elia [mailto:[EMAIL PROTECTED] Sent: Monday, July 07, 2003 7:11 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD DOS vulnerability Rick- Glad to help! One thing I've played around with on this is some low-tech methods for slowing down potential exploits of this. For example, I've used Services security in Group Policy to disable the Scheduler service on all DCs and then permissioned it so that only Enterprise Admins could start it up. I've also set up a loopback policy on all DCs that used Admin. Template settings to prevent anyone except Enterprise Admins from loading the ADSIEdit & Schema Manager MMC snap-ins on a DC. You could probably do even more with software restriction policy here. This by no means prevents the issue and the "extra crafty" admin can probably find ways around it, but it slows down the most obvious routes of exploitation, which is worth something :-) -----Original Message----- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Monday, July 07, 2003 3:08 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD DOS vulnerability Darren, Thanks for providing the clarity. No intent to be 'stealthy' about the vulnerability, but - frankly, I couldn't think of the proper words at the moment. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Monday, July 07, 2003 1:37 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD DOS vulnerability I think this refers to the issue recently identified where a member of the Domain Admins group, with access to a domain controller within a domain in the forest, could, for example, start a process within the security context of LocalSystem (e.g. using the AT scheduler), and thus gain privileged access to the schema and configuration naming contexts that they weren't granted explicitly. -----Original Message----- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Monday, July 07, 2003 6:25 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] AD DOS vulnerability Could you expand on what the specific vulnerability is there? I've not heard that terminology before. -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > Sent: Friday, July 04, 2003 5:42 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] AD DOS vulnerability > > > Joe, > > Unfortunately, one of the biggest issues with AD can't be addressed > with an upgrade, and that's the Security vulnerability from > cross-domain admins. > Looking to NetPro's monitoring tool to aid in this as a > 'burglar alarm'. > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Joe > Sent: Friday, July 04, 2003 10:21 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] AD DOS vulnerability > > Also note that there is another D.O.S. capable bug that SP4 fixes if I > recall correctly. It was something with referrals. > > Note that there are several things that can be done to W2K AD by a > bright programmer with internal access who has had a chance to sit > back and think > about it that can hurt AD. Some only require having an > account in AD, some > requiring a machine account. Won't give details here or > anywhere due to > social conscience and not willing to expose shit that could hurt me > personally but they are there... Move to W2K3 when you can as > that may help > based on some of the newer docs I have seen. > > I agree with what everyone else has said on SP4... Test test test, > then deploy. When you do have an issue, post back here or in the > newsgroups so > others can learn of the experience. Even if you call MS and > they say, nope, > no one is having that issue. I have found that they know of > things but won't > come fully forward with them until some minimum number of > customers/people > have complained. > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd > (NIH/CIT) > Sent: Thursday, July 03, 2003 10:04 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] AD DOS vulnerability > > > Thanks Everyone for the great information. We have already begun > patching the systems as a result of the information from the list. > > Todd Myrick > > -----Original Message----- > From: Robert Moir [mailto:[EMAIL PROTECTED] > Sent: Thursday, July 03, 2003 8:53 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] AD DOS vulnerability > > > I'd certainly concur with the idea of using the hotfix before rushing > SP4 out of the door without the usual acceptance testing but it might > be worth remembering that someone who is posting from an educational > establishment is in an environment where malicious attacks from within > the network are not just possible, or likely, but are simply another > day at the office. > > > -----Original Message----- > > From: Tony Murray [mailto:[EMAIL PROTECTED] > > Sent: 03 July 2003 12:51 > > To: [EMAIL PROTECTED] > > Subject: Re: [ActiveDir] AD DOS vulnerability > > > > Given that this vulnerability can generally only be > exploited through > > malicious use from *within* the network (at least for most > > organisations), you may want to hold off on SP4. This will > depend on > > your assessment of the threat in your environment. SP4 was only > > released last week and it is usually prudent to wait to see if any > > major bugs appear before installing it. I'm sure you remember the > > problems introduced by Windows NT 4.0 SP6, which were then urgently > > fixed in SP6a? > > > > You could always install the hotfix first and hold off a > while on SP4. > > > > More info on this vulnerability here: > > > > http://www.coresecurity.com/common/showdoc.php?idx=351&idxseccion=10 > > > > Tony > > ---------- Original Message ---------------------------------- > > Wrom: NKMBIPBARHDMNNSKVFVWRKJVZCMHVIBGDADRZFSQHYUC > > Reply-To: [EMAIL PROTECTED] > > Date: Thu, 3 Jul 2003 11:10:44 +0100 > > > > I received notification about a vulnerability in AD this morning - > > details are at > > http://support.microsoft.com/default.aspx?kbid=319709 > > > > It looks like the recommended fix is to upgrade my DCs to SP4. > > > > I was planning to wait a lot longer before I inflict SP4 on any > > machines that I care about, but it looks like this might > force my hand > > > a bit. What's everyone else doing? > > > > Has anyone heard of *any* problems with SP4 yet? > > > > -- > > Steve Bennett, Systems Support > > Lancaster University > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
