Had I been in the audience when Guido was
demonstrating how to compromise forests (if he was showing enough for people to
figure it out) I probably would have been throwing things at him if I didn't
outright drag him off the stage. Guido is tall but I am not too proud to bite.
:o)
Just serious. People shouldn't need that demonstrated and
people that know how to do it shouldn't feel that is it something they should
show-off. You never know when someone might choose to use it against
you.
People either can figure it out or they can't. It may
hold a wow factor so folks can say, "cool you should see what I found out
at xyz conference" but is dangerous to be showing off just like if I started
showing off how to do other evil "really can hurt you" things I know how to do
with AD or Exchange or other vendors' apps. Things that would curl
folks toenails to see. About as far as I will go in the sharing is with
Dean to get him to verify I am not crazy and then Stuart Kwan (of the Ottawa
Kwan Clan) or ~Eric or someone else in a position to fix the problem. Of
course, people can always just say, well you are just saying that and I don't
believe you. I don't have a problem with that. :o)
joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Thursday, September 22, 2005 4:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Controller Security See, for instance, the demo Guido did in the security
workshop with Sanjay at DEC last year.
-g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hutchins, Mike Sent: Thursday, September 22, 2005 11:37 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Controller Security Oh, and as for how, easy, but I won't tell
here... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of DeStefano, Dan Sent: Thursday, September 22, 2005 12:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Controller Security I thought that in ad
domains are considered security boundaries. In the cert exams, namely the
70-219, they are considered as such. Also, how would a domain admin of a child
domain elevate his privileges? Dan From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Phil
Renouf Even as a domain admin of a Child domain
they will still be able to munge your forest or elevate their priviledges. The
security boundary in AD is at the forest, not the
domain. Phil On 9/22/05, Gideon Ashcraft <[EMAIL PROTECTED]>
wrote: The only thing to do is to make him an
admin of that site, or better yet make that site a child domain and make him a
domain admin of that child domain. I know from experience that using a DC as
anything but a DC is a freakin pain in the ass, my predecessor set a DC up as a
print/file server and another as a SQL server (finally able to demote that one
now, soon hopefully). But my citrix profiles are on the domain controller, and
after months of trying to set delegation up properly in AD and setting up
permissions in the appropriate folders on the DC, the only way I was able to get
my Helpdesk admin set up to create accounts with my scripts so that I didn't
have to do it was to make him a domain admin. My company is too damn cheap to
get me another server to put the citrix profiles somewhere else. Oh yeah, and
its an app server for network install of office (can you feel my pain).
So, if there is only one server in the
site and its a DC, the only way to get him to do anything is to make him a
domain admin (make it a child domain so he can't climb up the
tree) Gideon
Ashcraft Network
Admin Screen Actors
Guild Look
through the archives. The short
answer is... "Just don't do it". You can't possibly secure this regardless of
what anyone says. If someone says it can be made safe, stop asking them
technical questions about Domain Controllers and Active Directory.
Either you
trust the person or you don't. If you don't trust the person, then don't put the
person in a position to show you the meaning of screwed.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of van Donk, Fred I have a contractor in a remote
site. There is only 1 server in that site which is a
DC. He needs to administer that server.
-Create
shares -Make file/share
permissions -Change user passwords in the User
OU for that site. He is not allowed to log on to any
other server is the domain. When I make him a "Server Operator"
he can logon to any server in the domain. Any idea on how to lock him down to
that one server and then how to lock him down on that one OU where he should
only be allowed to change the passwords of the
users. Thanks! Fred List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
|
- RE: [ActiveDir] Domain Controller Security DeStefano, Dan
- RE: [ActiveDir] Domain Controller Security DeStefano, Dan
- RE: [ActiveDir] Domain Controller Security deji
- RE: [ActiveDir] Domain Controller Security DeStefano, Dan
- RE: [ActiveDir] Domain Controller Security joe
- RE: [ActiveDir] Domain Controller Security Hutchins, Mike
- RE: [ActiveDir] Domain Controller Security joe
- RE: [ActiveDir] Domain Controller Security Mark Parris
- Re: [ActiveDir] Domain Controller Security Kamlesh Parmar
- RE: [ActiveDir] Domain Controller Security neil.ruston
- RE: [ActiveDir] Domain Controller Security Stefan Nakov
- RE: [ActiveDir] Domain Controller Security DeStefano, Dan
- RE: [ActiveDir] Domain Controller Security Brian Desmond