Re: AD as a possible target of attack? RE: [ActiveDir] Virus softwareon DC
DO scan your DCs and reconsider excluding things like the Sysvol I fully agree with you here, John. I have seen for myself how good FRS is at distributing viruses throughout the infrastructure in short period of time!! Some of the major AV vendors previously had products that caused problems when scanning SYSVOL, but the recent offerings have resolved this. Bottom line: there is no good reason not to include SYSVOL (as long as you've checked with your AV vendor first). Tony -- Original Message -- Wrom: NNYCGPKYLEJGDGVCJVTLBXFGGMEPYOQKEDOTWFAOBUZXU Reply-To: [EMAIL PROTECTED] Date: Wed, 10 Dec 2003 23:18:52 +0100 I totally agree with all the guys out there that urge you to scan your DCs!!! I've been thinking about this issue for some time and I've come to the conclusion that Active Directory would be THE IDEAL target for a virus attack. The robustness of AD replication makes it the ideal distribution mechanism for virusses. Hey ... distributing virusses by mail is ancient technology ;-). Why not use the intense integration of Exchange 2000+ and AD to transport a virus from Exchange to AD? No guys... I'm very serious! DO scan your DCs and reconsider excluding things like the Sysvol because this is another possible target for the sick minds out there that like to screw up enterprise environments! It's only a matter of time before the first AD virus is a fact of life we have to deal with! So go out and check (before you go to bed) whether or not dat-file updates are really succeeding ;-). Cheers! John -Original Message- Wrom: WLSZLKBRNVW To: [EMAIL PROTECTED] Sent: 10-12-2003 18:07 Subject: RE: [ActiveDir] Virus software on DC Sorry, I have to throw-in my two cents. I exclude the sysvol/sysvol folder and sub-folders, but run the real-time scanner on everything else. These two folders deal with replication and are too volatile to play with. S * Steve Shaff Active Directory / Exchange Administrator Corillian Corporation (W) 503.629.3538 (C) 503.807.4797 (F) 503.629.3674 -Original Message- Wrom: WCUFPEGAUTFJMVRESKPNKMBIPBARHDMNNS [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [contractor] Sent: Wednesday, December 10, 2003 8:52 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Virus software on DC Same here, never had any problems either. Jeremy -Original Message- Wrom: KVFVWRKJVZCMHVIBGDADRZFSQHYUCDDJBLVLMHAALPTCXLYRWTQTIPWI Sent: Wednesday, December 10, 2003 11:47 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Virus software on DC We run Symantec AV corporate edition and don't exclude any directories. We haven't had any problems related to AV software.. -Original Message- Wrom: GYOKSTTZRCLBDXRQBGJSNBOHMKHJYFMYXO [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Wednesday, December 10, 2003 11:42 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Virus software on DC What directories should I not be scanning? We use the exclusions in this list- 822158 - Virus Scanning Recommendations on a Windows 2000 Domain Controller: http://support.microsoft.com/default.aspx?scid=kb;en-us;822158 Wrom: EAIJJPHSCRTNHGSWZIDREXCAXZOWCONEUQZAAFX Sent: Wednesday, December 10, 2003 8:30 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Virus software on DC We run Trend here. Never have run into any issues and we are using the realtime scan. Just out of curiosity though, I am scanning all except for a few select dirs/ What directories should I not be scanning? John Parker, MCSE IS Admin. Senior Technical Specialist Alpha Display Systems. Alpha Video 7711 Computer Ave. Edina, MN. 55435 952-896-9898 Local 800-388-0008 Watts 952-896-9899 Fax 612-804-8769 Cell 952-841-3327 Direct [EMAIL PROTECTED] Be excellent to each other ---End of Line--- -Original Message- Wrom: ISHJEXXIMQZUIVOTQNQEMSFDULHPQQWOYIYZUNNYCG Sent: Wednesday, December 10, 2003 10:24 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Virus software on DC I do, but I exclude the AD files, and I do not have real-time scanning enabled, just periodic scheduled scans. Does not seem to cause any problems. mc -Original Message- Wrom: PKYLEJGDGVCJVTLBXFGGMEPYOQKEDOTWFAOBUZXUWLS Sent: Wednesday, December 10, 2003 11:17 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Virus software on DC This may be a dumb question, but do you guys have virus scanning software on your DCs? I have been confused if the virus scanner slows the machine down or not. Thanks List info :
RE: [ActiveDir] Exchange 2000 and its interaction with AD - Yes a gain...
That the DSACCESS issue you're having? -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 10, 2003 10:47 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Exchange 2000 and its interaction with AD - Yes a gain... Well I got word back that MS is going to fix this issue with NSPI referrals/GC Selection. That is good news. The bad news is they don't know if they are going to fix the NSPI piece of AD or fix Exchange. More bad news is it could be a year to see the fix. Hollow victory. :o) joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Sunday, December 07, 2003 12:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Exchange 2000 and its interaction with AD - Yes a gain... LOL. You sound like the MS folks. :op These project is in its third year (on again off again though), about 15 months into actual work. I was lightly involved about a year ago and got heavily involved back in around April or so. I think they all realized that AD was important, but probably not to the extent that it was. A lot of it comes down to not really knowing the product and I will point at both MCS and PSS in that regard. They tend to know the generic deployments and the pat answers. That doesn't work once you get to certain levels of complexity and size. It is like a paper MCSE going into a small site, they will be fine; a bigger site and they are an idiot. I actually think we have one of the better MCS consultants already here for E2K. Though I think he knows about 4 times more now than he knew when he walked in the door. He will admit to knowing probably twice as much. :op I think that is my biggest gripe with MS people is the lack of willingness to simply say, you know what, I don't know. Instead they will say something like that is god's word on it and then later it comes about that they thought it worked that way but in reality it doesn't. I think I have seen instances of that all the way up the MS chain but I haven't ever directly spoken with an Exchange Dev guy so maybe they know what is up and everyone else is losing the stuff in the translation. As a rule they won't let me near the Dev guys. I think it is because I ask too many difficult questions usually starting with why in the world On our side the issue is that this project stopped and started multiple times and management changed a couple of times and hardware vendors changed and storage changed, etc. Lots of crap, however I still blame MS for the bad design we have and the bad supportability review they did of the design. This delegate issue never should have seen the light of day but it goes back to my statement about them not really understanding how the product works. Public Folder shouldn't be an issue as we don't really allow their use. Occasionally someone will get something out there when a new server comes online and the ACL's get changed but that gets caught and they get killed. Pretty much we use Exchange for mail and calendar. None of the other stuff fancy stuff. If there was a decent calendar app outside of Exchange that integrated well with Mail that wouldn't have caused us massive migration headaches and custom writing of tons of code we would have probably went to it. RUS has been doing ok but then we really dumbed it down from what I understand. The email address stamping is all handled by our internal provisioning system. ADC has been a bit painful and in fact right now our European ADC just stops working every now and then with no error messages or nothing. Just stops. I am now embroiled in debate with PSS concerning the DSACCESS/DSPROXY/Categorizer document as I started reading it and found typoes and issues in it and things that I flat out don't think are correct. MS has done what they usually do which is to get to a point where the analysts is flying blind and wants to take things into a conference call. My personal feeling on that is so that it gets lost and dropped because the info isn't as well documented. The document did nothing to lull me into confidence of what was going on with us and in fact now has me concerned about the categorizer and what might possibly be breaking in that as it has verbage similar to the verbage for DSPROXY and I really think DSPROXY has issues with its DC scrubbing that it is supposedly doing. Outside of all the design issues we have with our specific implementation I am really concerned about the overall supportability of a large Exchange deployment. The tool set completely sucks that MS supplies and the documentation for writing your own tools is poor and inaccurate at best. I do not see how any large implementation of Exchange could exist without a veritable sea of admins managing it through the GUI. Mailbox reconnects alone are a pain in the complete butt and that is just one aspect. Oh well, I will be dead or I will get it figured out. One or the other will be fine at this point. joe
RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC
It strikes me that excliding *.dit is probably all that's necessary on the DCs -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Thursday, December 11, 2003 8:55 AM To: [EMAIL PROTECTED] Subject: Re: AD as a possible target of attack? RE: [ActiveDir] Virus softwareon DC DO scan your DCs and reconsider excluding things like the Sysvol I fully agree with you here, John. I have seen for myself how good FRS is at distributing viruses throughout the infrastructure in short period of time!! Some of the major AV vendors previously had products that caused problems when scanning SYSVOL, but the recent offerings have resolved this. Bottom line: there is no good reason not to include SYSVOL (as long as you've checked with your AV vendor first). Tony -- Original Message -- Wrom: NNYCGPKYLEJGDGVCJVTLBXFGGMEPYOQKEDOTWFAOBUZXU Reply-To: [EMAIL PROTECTED] Date: Wed, 10 Dec 2003 23:18:52 +0100 I totally agree with all the guys out there that urge you to scan your DCs!!! I've been thinking about this issue for some time and I've come to the conclusion that Active Directory would be THE IDEAL target for a virus attack. The robustness of AD replication makes it the ideal distribution mechanism for virusses. Hey ... distributing virusses by mail is ancient technology ;-). Why not use the intense integration of Exchange 2000+ and AD to transport a virus from Exchange to AD? No guys... I'm very serious! DO scan your DCs and reconsider excluding things like the Sysvol because this is another possible target for the sick minds out there that like to screw up enterprise environments! It's only a matter of time before the first AD virus is a fact of life we have to deal with! So go out and check (before you go to bed) whether or not dat-file updates are really succeeding ;-). Cheers! John -Original Message- Wrom: WLSZLKBRNVW To: [EMAIL PROTECTED] Sent: 10-12-2003 18:07 Subject: RE: [ActiveDir] Virus software on DC Sorry, I have to throw-in my two cents. I exclude the sysvol/sysvol folder and sub-folders, but run the real-time scanner on everything else. These two folders deal with replication and are too volatile to play with. S * Steve Shaff Active Directory / Exchange Administrator Corillian Corporation (W) 503.629.3538 (C) 503.807.4797 (F) 503.629.3674 -Original Message- Wrom: WCUFPEGAUTFJMVRESKPNKMBIPBARHDMNNS [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [contractor] Sent: Wednesday, December 10, 2003 8:52 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Virus software on DC Same here, never had any problems either. Jeremy -Original Message- Wrom: KVFVWRKJVZCMHVIBGDADRZFSQHYUCDDJBLVLMHAALPTCXLYRWTQTIPWI Sent: Wednesday, December 10, 2003 11:47 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Virus software on DC We run Symantec AV corporate edition and don't exclude any directories. We haven't had any problems related to AV software.. -Original Message- Wrom: GYOKSTTZRCLBDXRQBGJSNBOHMKHJYFMYXO [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Wednesday, December 10, 2003 11:42 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Virus software on DC What directories should I not be scanning? We use the exclusions in this list- 822158 - Virus Scanning Recommendations on a Windows 2000 Domain Controller: http://support.microsoft.com/default.aspx?scid=kb;en-us;822158 Wrom: EAIJJPHSCRTNHGSWZIDREXCAXZOWCONEUQZAAFX Sent: Wednesday, December 10, 2003 8:30 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Virus software on DC We run Trend here. Never have run into any issues and we are using the realtime scan. Just out of curiosity though, I am scanning all except for a few select dirs/ What directories should I not be scanning? John Parker, MCSE IS Admin. Senior Technical Specialist Alpha Display Systems. Alpha Video 7711 Computer Ave. Edina, MN. 55435 952-896-9898 Local 800-388-0008 Watts 952-896-9899 Fax 612-804-8769 Cell 952-841-3327 Direct [EMAIL PROTECTED] Be excellent to each other ---End of Line--- -Original Message- Wrom: ISHJEXXIMQZUIVOTQNQEMSFDULHPQQWOYIYZUNNYCG Sent: Wednesday, December 10, 2003 10:24 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Virus software on DC I do, but I exclude the AD files, and I do not have real-time scanning
RE: [ActiveDir] Settle a disagreement
Title: Message Just have them read this http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q203/6/07.ASPNoWebContent=1 and then give them something to do J mc -Original Message- From: Gilbert, Daniel L Mr ANOSC/FCBS [mailto:daniel.gilbert/[EMAIL PROTECTED] Sent: Thursday, December 11, 2003 10:21 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Settle a disagreement To All: I need some help settling a disagreement among the SA's here. This disagreement revolves around group policy application. I have always believed that on Windows 2000 clients, that any policy applied to them is re-read every 90 minutes plus or minus 30 minutes. One of the SA's swears it is every 90 minutes with an offset of up to 30 minutes. Who's correct? Of course this isn't a major issue, but you know how SA's find the craziest things to argue about when they get a little time on their hands. :o) Daniel L. Gilbert, Contractor SeniorActive DirectorySpecialist CONUS Theater Network Operations and Security Center (CONUS-TNOSC) (520) 533-6700 DSN: 821-6700 [EMAIL PROTECTED]
RE: [ActiveDir] Settle a disagreement
Title: Message Oh, we could have such fun arguing semantics here... I wouldn't equate "plus or minus" with "up to." This is how I would interpret "every 90 minutes plus or minus 30 minutes" - "Every 90 minutes with a positive offset of 30 minutes" OR "Every 90 minutes with a negative offset of 30 minutes"- This would result in a GP refresh every 60 or 120 minutes... Considering that the offset can only be positive, and thatthe offsetis a random number between 0 and 30, not steadfastly "30"... The statement "every 90 minutes plus or minus 30 minutes" would be incorrect. Joe Pochedley Weiler's Law - Nothing is impossible for the man who doesn't have to do it himself. From: deji Agba [mailto:[EMAIL PROTECTED] Sent: Thursday, December 11, 2003 11:03 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Settle a disagreement every 90 minutes plus or minus 30 minutes. every 90 minutes with an offset of up to 30 minutes In the sense that "plus or minus" can literally mean "up to", I'd say you are both saying the same thing, but in different tongues :) Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
[ActiveDir] Creating Local Users on Remote Standalone Servers
I need a WMI way to create LOCAL users on a REMOTE standalone server and then add that local user to a local group that exists on the remote server. For a long time, I've done the below. But, if strWebHost is not the local server, it'll give an "access denied" error. I did try just opening a privileged WMI moniker to the remote server, but that isn't sufficient. So I obviously need to do it all via that privileged WMI connection. I've googled and searched MSDN high-and-low with little success. Hints or pointers to code samples would be appreciated. Thanks, Michael ' Create the local UserErr.ClearSet col = GetObject ("WinNT://" strWebHost ",computer")If ChkError ("GetObject(computer) on " strWebHost) ThenResponse.EndExit SubEnd IfSet obj = col.Create ("user", strWebUser)If ChkError ("Create(user) " strWebUser) ThenResponse.EndExit SubEnd Ifobj.SetPassword strWebPassIf ChkError ("SetPassword(" strWebUser ")") ThenResponse.EndExit SubEnd Ifobj.SetInfoIf ChkError ("SetInfo(" strWebUser ")") ThenResponse.EndExit SubEnd If Msg ("User '" strWebUser "' created") set col = Nothing' Add user to the local 'Users' groupSet col = GetObject("WinNT://" strWebHost "/Users,group")If ChkError ("GetObject(Users,group) on " strWebHost) ThenResponse.EndExit SubEnd Ifcol.Add (obj.ADsPath) If ChkError ("AddGroup(user) " strWebUser) ThenResponse.EndExit SubEnd Ifproperty = obj.Get ("UserFlags")property = property OR (ADS_UF_PASSWD_CANT_CHANGE OR ADS_UF_DONT_EXPIRE_PASSWD)obj.Put "UserFlags", propertyobj.SetInfoIf ChkError ("SetInfoGroup(" strWebUser ")") ThenResponse.EndExit SubEnd If Msg ("User '" strWebUser "' added to group 'Users'")
[ActiveDir] finding GCs
Our developers put together a web site on our intranet last year that allows privileged users to add members of their staff to various groups. It works great, except that now we are in native mode and are using some universal groups. The app will work properly as long as it happens to hit a DC that is also a GC. But from what theyre telling me, it wont work for Universals if the app searches for a DC and finds one that does not happen to be a GC. So what Im looking for, is whether there is a LDAP query component that they can use in their app that will always only find DCs that are also GCs? Thanks, Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do
RE: [ActiveDir] finding GCs
IIRC You're looking for the isGlobalCatalogReady attribute. If set to true, then it's a global catalog. If not, then it's just a DC. Al From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Thursday, December 11, 2003 12:41 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] finding GCs Our developers put together a web site on our intranet last year that allows privileged users to add members of their staff to various groups. It works great, except that now we are in native mode and are using some universal groups. The app will work properly as long as it happens to hit a DC that is also a GC. But from what they're telling me, it won't work for Universals if the app searches for a DC and finds one that does not happen to be a GC. So what I'm looking for, is whether there is a LDAP query component that they can use in their app that will always only find DCs that are also GCs? Thanks, Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do
RE: [ActiveDir] Search for phone numbers????
We simply modified the form for address book searches to include phone number. Individuals can now search one phone numbers for those mail enabled objects in AD. For us that meet the requirements 99% of the time. Diane -Original Message- From: Douglas M. Long [mailto:[EMAIL PROTECTED] Sent: Thursday, December 11, 2003 10:17 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Search for phone numbers Is there a way to add a field in the Search for people to allow searching for a phone number, or other attributes that are specified in the Active Directory? If not, how can a user search for other attributes that are defined in the AD? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Strategic Plan Templates
Or examples of how not to do it, as the case may be :-) -Hunter -Original Message- From: Fuller, Stuart [mailto:[EMAIL PROTECTED] Sent: Thursday, December 11, 2003 2:24 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: Strategic Plan Templates State of Montana IT Strategic plan - http://www.state.mt.us/itsd/stratplan/statewideplan.asp. There are also 30+ agency strategic plans located at http://www.state.mt.us/itsd/stratplan/agencyplans.asp. May give you some format and structure ideas... -Stuart -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Thursday, December 11, 2003 2:17 PM To: ActiveDir (E-mail) Subject: [ActiveDir] OT: Strategic Plan Templates This is way OT, but do any of you have some good templates I can follow to begin the process of putting together a new IT Strategic Plan? Thanks Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Exchange: decommission the exchange 2000 server
I am not aware of a white paper for this. But to answer your specific question on PF transfer, the easiest way (for me) is to add the replica of the PF to the new Exchange Server. Wit for a sufficiently long period of time for the Replica to come over, then remove the Original Exchange server from the Replica list. Also, look at PFAdmin. I think it's on the Exchange CD. Sufficiently long time is relative and depends on things like the size of the PF, the size of the network pipe between the 2 servers, etc. There are other considerations involved in retiring your original Exchange server besides rehoming the PF. If you need more info, post the question. HTH Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Steve Shaff Sent: Thu 12/11/2003 1:32 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Exchange: decommission the exchange 2000 server Group, We are getting ready to decommission the exchange 2000 server and transfer all the roles to the exchange 2003 server. Are there any white papers or documents on how to do this? I seem to be missing how you transfer the public folder dbs to the new server. Any ideas, problem area, etc that I should be aware of? I was looking at the kb article (307917). This does not help, since the tabs have changed with the addition of the 2003 server. Thanks, S List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat
RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC
I'm really surprised that a virus hasn't tried to use AD as a possible source of new users/computers to attack. It is real easy to write a query to enumerate every user in the domain. Even though Authenticated Users can't read all attributes of users, there are still plenty that are readable. And then there is the issue of modifying the attributes granted to SELF. There are several other ways AD could be used maliciously, but I don't want to give anyone ideas ;-) This really could become a problem (and a difficult one to solve). As you mentioned, by just looking at DNS, you could get all of the DCs, DNS servers, mail servers, etc. and start spamming them (unless you aren't populating all of them in DNS). I think all the virus writers have been programming geeks/kiddies. A clueful Sys Admin could devise much more creative/damaging exploits than we've seen so far ;-) To my knowledge there is no way to limit the number of LDAP queries per second. The best you can do is monitor the number of LDAP queries per second (available from Perfmon). It is also good to monitor expensive/inefficient queries (see recipe 15.8). Robbie Allen http://www.rallenhome.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, December 11, 2003 4:36 PM To: '[EMAIL PROTECTED]' Subject: RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC I'm not as worried about malicious, entry changing attacks due to the built in security model. Its cake and pie to do a denial of service attack against an LDAP system. Add to that a simple DNS query to find all the DC's, and the whole domain drops like a lead filled balloon. Is there a way to limit the number of LDAP queries per second on a DC, at least from a specific source address? Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Thursday, December 11, 2003 4:14 PM To: [EMAIL PROTECTED] Subject: RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC I don't even think you have to restrict the AD-related virus issue to the file-system. Something that your AV tools won't help you with is a virus, that simply runs malicious LDAP queries - i.e. changing all kinds of attributes on objects in AD or even delete a whole lot of objects at once... Obviously this virus would only be harmful for users with appropriate permissions on the AD objects. Again, AD will ensure that these malicious changes are replicated to all DCs and you could end up with quite a disaster which is certainly not very easy to recover of. /Guido -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Donnerstag, 11. Dezember 2003 14:55 To: [EMAIL PROTECTED] Subject: Re: AD as a possible target of attack? RE: [ActiveDir] Virus softwareon DC DO scan your DCs and reconsider excluding things like the Sysvol I fully agree with you here, John. I have seen for myself how good FRS is at distributing viruses throughout the infrastructure in short period of time!! Some of the major AV vendors previously had products that caused problems when scanning SYSVOL, but the recent offerings have resolved this. Bottom line: there is no good reason not to include SYSVOL (as long as you've checked with your AV vendor first). Tony -- Original Message -- Wrom: NNYCGPKYLEJGDGVCJVTLBXFGGMEPYOQKEDOTWFAOBUZXU Reply-To: [EMAIL PROTECTED] Date: Wed, 10 Dec 2003 23:18:52 +0100 I totally agree with all the guys out there that urge you to scan your DCs!!! I've been thinking about this issue for some time and I've come to the conclusion that Active Directory would be THE IDEAL target for a virus attack. The robustness of AD replication makes it the ideal distribution mechanism for virusses. Hey ... distributing virusses by mail is ancient technology ;-). Why not use the intense integration of Exchange 2000+ and AD to transport a virus from Exchange to AD? No guys... I'm very serious! DO scan your DCs and reconsider excluding things like the Sysvol because this is another possible target for the sick minds out there that like to screw up enterprise environments! It's only a matter of time before the first AD virus is a fact of life we have to deal with! So go out and check (before you go to bed) whether or not dat-file updates are really succeeding ;-). Cheers! John -Original Message- Wrom: WLSZLKBRNVW To: [EMAIL PROTECTED] Sent: 10-12-2003 18:07 Subject: RE: [ActiveDir] Virus software on DC Sorry, I
RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC
The problem with the built-in security model is that in most environments its easy to get around it by using one of the various LocalSystem escalations on the DC. All of a sudden the ACLs are meaningless, and AD will happily replicate the corrupted data for you. Its hard to do a system wide denial-of-service by flooding the DCs with queries (I assume this is what you were talking about) because of the number of clients you would have to bring to bear. It takes a lot of clients to generate enough traffic to kill a DC, and a lot more to kill all the DCs in the system. And if the clients are connected to the DCs via slower WAN links, its probably impossible. You can disable anonymous queries (already done by default in W2K3), and you can configure IP addresses to deny connections from, but I don't know of a way to limit the number of LDAP queries per second. Sounds like a cool feature. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, December 11, 2003 2:36 PM To: '[EMAIL PROTECTED]' Subject: RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC I'm not as worried about malicious, entry changing attacks due to the built in security model. Its cake and pie to do a denial of service attack against an LDAP system. Add to that a simple DNS query to find all the DC's, and the whole domain drops like a lead filled balloon. Is there a way to limit the number of LDAP queries per second on a DC, at least from a specific source address? Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Thursday, December 11, 2003 4:14 PM To: [EMAIL PROTECTED] Subject: RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC I don't even think you have to restrict the AD-related virus issue to the file-system. Something that your AV tools won't help you with is a virus, that simply runs malicious LDAP queries - i.e. changing all kinds of attributes on objects in AD or even delete a whole lot of objects at once... Obviously this virus would only be harmful for users with appropriate permissions on the AD objects. Again, AD will ensure that these malicious changes are replicated to all DCs and you could end up with quite a disaster which is certainly not very easy to recover of. /Guido -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Donnerstag, 11. Dezember 2003 14:55 To: [EMAIL PROTECTED] Subject: Re: AD as a possible target of attack? RE: [ActiveDir] Virus softwareon DC DO scan your DCs and reconsider excluding things like the Sysvol I fully agree with you here, John. I have seen for myself how good FRS is at distributing viruses throughout the infrastructure in short period of time!! Some of the major AV vendors previously had products that caused problems when scanning SYSVOL, but the recent offerings have resolved this. Bottom line: there is no good reason not to include SYSVOL (as long as you've checked with your AV vendor first). Tony -- Original Message -- Wrom: NNYCGPKYLEJGDGVCJVTLBXFGGMEPYOQKEDOTWFAOBUZXU Reply-To: [EMAIL PROTECTED] Date: Wed, 10 Dec 2003 23:18:52 +0100 I totally agree with all the guys out there that urge you to scan your DCs!!! I've been thinking about this issue for some time and I've come to the conclusion that Active Directory would be THE IDEAL target for a virus attack. The robustness of AD replication makes it the ideal distribution mechanism for virusses. Hey ... distributing virusses by mail is ancient technology ;-). Why not use the intense integration of Exchange 2000+ and AD to transport a virus from Exchange to AD? No guys... I'm very serious! DO scan your DCs and reconsider excluding things like the Sysvol because this is another possible target for the sick minds out there that like to screw up enterprise environments! It's only a matter of time before the first AD virus is a fact of life we have to deal with! So go out and check (before you go to bed) whether or not dat-file updates are really succeeding ;-). Cheers! John -Original Message- Wrom: WLSZLKBRNVW To: [EMAIL PROTECTED] Sent: 10-12-2003 18:07 Subject: RE: [ActiveDir] Virus software on DC Sorry, I have to throw-in my two cents. I exclude the sysvol/sysvol folder and sub-folders, but run the real-time scanner on everything else. These two folders deal with replication and are too volatile to play with. S * Steve Shaff Active Directory / Exchange Administrator Corillian Corporation (W) 503.629.3538 (C) 503.807.4797 (F) 503.629.3674 -Original
RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC
I don't think it would take all that many clients if they used a threaded app that spawned a bunch of simultaneous sessions to different DCs. Heck, I've seen a single client cause the number of queries per second on a DC to go from 80 to ~1000 for a 30 minute span. Now this didn't cause the CPU to spike greatly, but it did cause other clients using that DC to get intermittent AD/LDAP errors. As far as denying IPs, that was available in W2K, but it was removed (at least from ntdsutil) in W2K3. I was told that it wouldn't be supported anymore in W2K3 (I haven't tested to see if it works still). That would be unfortunate if it isn't supported. Robbie Allen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Thursday, December 11, 2003 5:38 PM To: '[EMAIL PROTECTED]' Subject: RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC The problem with the built-in security model is that in most environments its easy to get around it by using one of the various LocalSystem escalations on the DC. All of a sudden the ACLs are meaningless, and AD will happily replicate the corrupted data for you. Its hard to do a system wide denial-of-service by flooding the DCs with queries (I assume this is what you were talking about) because of the number of clients you would have to bring to bear. It takes a lot of clients to generate enough traffic to kill a DC, and a lot more to kill all the DCs in the system. And if the clients are connected to the DCs via slower WAN links, its probably impossible. You can disable anonymous queries (already done by default in W2K3), and you can configure IP addresses to deny connections from, but I don't know of a way to limit the number of LDAP queries per second. Sounds like a cool feature. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, December 11, 2003 2:36 PM To: '[EMAIL PROTECTED]' Subject: RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC I'm not as worried about malicious, entry changing attacks due to the built in security model. Its cake and pie to do a denial of service attack against an LDAP system. Add to that a simple DNS query to find all the DC's, and the whole domain drops like a lead filled balloon. Is there a way to limit the number of LDAP queries per second on a DC, at least from a specific source address? Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Thursday, December 11, 2003 4:14 PM To: [EMAIL PROTECTED] Subject: RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC I don't even think you have to restrict the AD-related virus issue to the file-system. Something that your AV tools won't help you with is a virus, that simply runs malicious LDAP queries - i.e. changing all kinds of attributes on objects in AD or even delete a whole lot of objects at once... Obviously this virus would only be harmful for users with appropriate permissions on the AD objects. Again, AD will ensure that these malicious changes are replicated to all DCs and you could end up with quite a disaster which is certainly not very easy to recover of. /Guido -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Donnerstag, 11. Dezember 2003 14:55 To: [EMAIL PROTECTED] Subject: Re: AD as a possible target of attack? RE: [ActiveDir] Virus softwareon DC DO scan your DCs and reconsider excluding things like the Sysvol I fully agree with you here, John. I have seen for myself how good FRS is at distributing viruses throughout the infrastructure in short period of time!! Some of the major AV vendors previously had products that caused problems when scanning SYSVOL, but the recent offerings have resolved this. Bottom line: there is no good reason not to include SYSVOL (as long as you've checked with your AV vendor first). Tony -- Original Message -- Wrom: NNYCGPKYLEJGDGVCJVTLBXFGGMEPYOQKEDOTWFAOBUZXU Reply-To: [EMAIL PROTECTED] Date: Wed, 10 Dec 2003 23:18:52 +0100 I totally agree with all the guys out there that urge you to scan your DCs!!! I've been thinking about this issue for some time and I've come to the conclusion that Active Directory would be THE IDEAL target for a virus attack. The robustness of AD replication makes it the ideal distribution mechanism for virusses. Hey ... distributing virusses by mail is ancient technology ;-). Why not use the intense integration of
Re: [ActiveDir] Exchange: decommission the exchange 2000 server
Also pfmigrate.wsf from the Exchange Deployment Tools. William - Original Message - From: Steve Shaff [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, December 11, 2003 2:56 PM Subject: RE: [ActiveDir] Exchange: decommission the exchange 2000 server That is perfect. Thanks, S From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, December 11, 2003 1:58 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Exchange: decommission the exchange 2000 server I am not aware of a white paper for this. But to answer your specific question on PF transfer, the easiest way (for me) is to add the replica of the PF to the new Exchange Server. Wit for a sufficiently long period of time for the Replica to come over, then remove the Original Exchange server from the Replica list. Also, look at PFAdmin. I think it's on the Exchange CD. Sufficiently long time is relative and depends on things like the size of the PF, the size of the network pipe between the 2 servers, etc. There are other considerations involved in retiring your original Exchange server besides rehoming the PF. If you need more info, post the question. HTH Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Steve Shaff Sent: Thu 12/11/2003 1:32 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Exchange: decommission the exchange 2000 server Group, We are getting ready to decommission the exchange 2000 server and transfer all the roles to the exchange 2003 server. Are there any white papers or documents on how to do this? I seem to be missing how you transfer the public folder dbs to the new server. Any ideas, problem area, etc that I should be aware of? I was looking at the kb article (307917). This does not help, since the tabs have changed with the addition of the 2003 server. Thanks, S List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC
I usually have to run about 10 authentication threads on each of 5 machines to get the CPU over 50% on my 1GHz P3 server. Of course the DIT is essentially empty. I suppose that having them issue some complex query over a large DIT would alter that picture substantially. That's interesting that clients were getting intermittent errors even though the CPU wasn't pegged. Was the disk or network saturated? -g -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robbie Allen (rallen) Sent: Thursday, December 11, 2003 4:00 PM To: [EMAIL PROTECTED] Subject: RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC I don't think it would take all that many clients if they used a threaded app that spawned a bunch of simultaneous sessions to different DCs. Heck, I've seen a single client cause the number of queries per second on a DC to go from 80 to ~1000 for a 30 minute span. Now this didn't cause the CPU to spike greatly, but it did cause other clients using that DC to get intermittent AD/LDAP errors. As far as denying IPs, that was available in W2K, but it was removed (at least from ntdsutil) in W2K3. I was told that it wouldn't be supported anymore in W2K3 (I haven't tested to see if it works still). That would be unfortunate if it isn't supported. Robbie Allen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Thursday, December 11, 2003 5:38 PM To: '[EMAIL PROTECTED]' Subject: RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC The problem with the built-in security model is that in most environments its easy to get around it by using one of the various LocalSystem escalations on the DC. All of a sudden the ACLs are meaningless, and AD will happily replicate the corrupted data for you. Its hard to do a system wide denial-of-service by flooding the DCs with queries (I assume this is what you were talking about) because of the number of clients you would have to bring to bear. It takes a lot of clients to generate enough traffic to kill a DC, and a lot more to kill all the DCs in the system. And if the clients are connected to the DCs via slower WAN links, its probably impossible. You can disable anonymous queries (already done by default in W2K3), and you can configure IP addresses to deny connections from, but I don't know of a way to limit the number of LDAP queries per second. Sounds like a cool feature. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, December 11, 2003 2:36 PM To: '[EMAIL PROTECTED]' Subject: RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC I'm not as worried about malicious, entry changing attacks due to the built in security model. Its cake and pie to do a denial of service attack against an LDAP system. Add to that a simple DNS query to find all the DC's, and the whole domain drops like a lead filled balloon. Is there a way to limit the number of LDAP queries per second on a DC, at least from a specific source address? Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Thursday, December 11, 2003 4:14 PM To: [EMAIL PROTECTED] Subject: RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC I don't even think you have to restrict the AD-related virus issue to the file-system. Something that your AV tools won't help you with is a virus, that simply runs malicious LDAP queries - i.e. changing all kinds of attributes on objects in AD or even delete a whole lot of objects at once... Obviously this virus would only be harmful for users with appropriate permissions on the AD objects. Again, AD will ensure that these malicious changes are replicated to all DCs and you could end up with quite a disaster which is certainly not very easy to recover of. /Guido -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Donnerstag, 11. Dezember 2003 14:55 To: [EMAIL PROTECTED] Subject: Re: AD as a possible target of attack? RE: [ActiveDir] Virus softwareon DC DO scan your DCs and reconsider excluding things like the Sysvol I fully agree with you here, John. I have seen for myself how good FRS is at distributing viruses throughout the infrastructure in short period of time!! Some of the major AV vendors previously had products that caused problems when scanning SYSVOL, but the recent offerings have resolved this. Bottom line: there is no good reason not to include SYSVOL (as long as you've checked with your AV vendor
RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC
Neither that I recall. CPU was around 30-40%. In my experience it is not uncommon to see occasional LDAP errors when the CPU reaches that level on DCs (at least with W2K). Robbie Allen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Thursday, December 11, 2003 6:37 PM To: '[EMAIL PROTECTED]' Subject: RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC I usually have to run about 10 authentication threads on each of 5 machines to get the CPU over 50% on my 1GHz P3 server. Of course the DIT is essentially empty. I suppose that having them issue some complex query over a large DIT would alter that picture substantially. That's interesting that clients were getting intermittent errors even though the CPU wasn't pegged. Was the disk or network saturated? -g -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robbie Allen (rallen) Sent: Thursday, December 11, 2003 4:00 PM To: [EMAIL PROTECTED] Subject: RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC I don't think it would take all that many clients if they used a threaded app that spawned a bunch of simultaneous sessions to different DCs. Heck, I've seen a single client cause the number of queries per second on a DC to go from 80 to ~1000 for a 30 minute span. Now this didn't cause the CPU to spike greatly, but it did cause other clients using that DC to get intermittent AD/LDAP errors. As far as denying IPs, that was available in W2K, but it was removed (at least from ntdsutil) in W2K3. I was told that it wouldn't be supported anymore in W2K3 (I haven't tested to see if it works still). That would be unfortunate if it isn't supported. Robbie Allen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Thursday, December 11, 2003 5:38 PM To: '[EMAIL PROTECTED]' Subject: RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC The problem with the built-in security model is that in most environments its easy to get around it by using one of the various LocalSystem escalations on the DC. All of a sudden the ACLs are meaningless, and AD will happily replicate the corrupted data for you. Its hard to do a system wide denial-of-service by flooding the DCs with queries (I assume this is what you were talking about) because of the number of clients you would have to bring to bear. It takes a lot of clients to generate enough traffic to kill a DC, and a lot more to kill all the DCs in the system. And if the clients are connected to the DCs via slower WAN links, its probably impossible. You can disable anonymous queries (already done by default in W2K3), and you can configure IP addresses to deny connections from, but I don't know of a way to limit the number of LDAP queries per second. Sounds like a cool feature. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, December 11, 2003 2:36 PM To: '[EMAIL PROTECTED]' Subject: RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC I'm not as worried about malicious, entry changing attacks due to the built in security model. Its cake and pie to do a denial of service attack against an LDAP system. Add to that a simple DNS query to find all the DC's, and the whole domain drops like a lead filled balloon. Is there a way to limit the number of LDAP queries per second on a DC, at least from a specific source address? Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Thursday, December 11, 2003 4:14 PM To: [EMAIL PROTECTED] Subject: RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC I don't even think you have to restrict the AD-related virus issue to the file-system. Something that your AV tools won't help you with is a virus, that simply runs malicious LDAP queries - i.e. changing all kinds of attributes on objects in AD or even delete a whole lot of objects at once... Obviously this virus would only be harmful for users with appropriate permissions on the AD objects. Again, AD will ensure that these malicious changes are replicated to all DCs and you could end up with quite a disaster which is certainly not very easy to recover of. /Guido -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Donnerstag, 11. Dezember 2003
RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC
I wonder if you hit one of the threshholds I.E. More than 20 queries running or pool threads ran out or something along those lines. That is an area I always wanted to dig into and test well and never had a chance. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robbie Allen (rallen) Sent: Thursday, December 11, 2003 6:48 PM To: [EMAIL PROTECTED] Subject: RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC Neither that I recall. CPU was around 30-40%. In my experience it is not uncommon to see occasional LDAP errors when the CPU reaches that level on DCs (at least with W2K). Robbie Allen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Thursday, December 11, 2003 6:37 PM To: '[EMAIL PROTECTED]' Subject: RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC I usually have to run about 10 authentication threads on each of 5 machines to get the CPU over 50% on my 1GHz P3 server. Of course the DIT is essentially empty. I suppose that having them issue some complex query over a large DIT would alter that picture substantially. That's interesting that clients were getting intermittent errors even though the CPU wasn't pegged. Was the disk or network saturated? -g -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robbie Allen (rallen) Sent: Thursday, December 11, 2003 4:00 PM To: [EMAIL PROTECTED] Subject: RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC I don't think it would take all that many clients if they used a threaded app that spawned a bunch of simultaneous sessions to different DCs. Heck, I've seen a single client cause the number of queries per second on a DC to go from 80 to ~1000 for a 30 minute span. Now this didn't cause the CPU to spike greatly, but it did cause other clients using that DC to get intermittent AD/LDAP errors. As far as denying IPs, that was available in W2K, but it was removed (at least from ntdsutil) in W2K3. I was told that it wouldn't be supported anymore in W2K3 (I haven't tested to see if it works still). That would be unfortunate if it isn't supported. Robbie Allen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Thursday, December 11, 2003 5:38 PM To: '[EMAIL PROTECTED]' Subject: RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC The problem with the built-in security model is that in most environments its easy to get around it by using one of the various LocalSystem escalations on the DC. All of a sudden the ACLs are meaningless, and AD will happily replicate the corrupted data for you. Its hard to do a system wide denial-of-service by flooding the DCs with queries (I assume this is what you were talking about) because of the number of clients you would have to bring to bear. It takes a lot of clients to generate enough traffic to kill a DC, and a lot more to kill all the DCs in the system. And if the clients are connected to the DCs via slower WAN links, its probably impossible. You can disable anonymous queries (already done by default in W2K3), and you can configure IP addresses to deny connections from, but I don't know of a way to limit the number of LDAP queries per second. Sounds like a cool feature. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, December 11, 2003 2:36 PM To: '[EMAIL PROTECTED]' Subject: RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC I'm not as worried about malicious, entry changing attacks due to the built in security model. Its cake and pie to do a denial of service attack against an LDAP system. Add to that a simple DNS query to find all the DC's, and the whole domain drops like a lead filled balloon. Is there a way to limit the number of LDAP queries per second on a DC, at least from a specific source address? Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Thursday, December 11, 2003 4:14 PM To: [EMAIL PROTECTED] Subject: RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC I don't even think you have to restrict the AD-related virus issue to the file-system. Something that your AV tools won't help you with is a virus, that simply runs malicious LDAP queries - i.e. changing all kinds of attributes on objects in AD or even delete
RE: [ActiveDir] Exchange 2000 and its interaction with AD - Yes a gain...
Yep. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, December 11, 2003 8:54 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Exchange 2000 and its interaction with AD - Yes a gain... That the DSACCESS issue you're having? -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 10, 2003 10:47 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Exchange 2000 and its interaction with AD - Yes a gain... Well I got word back that MS is going to fix this issue with NSPI referrals/GC Selection. That is good news. The bad news is they don't know if they are going to fix the NSPI piece of AD or fix Exchange. More bad news is it could be a year to see the fix. Hollow victory. :o) joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Sunday, December 07, 2003 12:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Exchange 2000 and its interaction with AD - Yes a gain... LOL. You sound like the MS folks. :op These project is in its third year (on again off again though), about 15 months into actual work. I was lightly involved about a year ago and got heavily involved back in around April or so. I think they all realized that AD was important, but probably not to the extent that it was. A lot of it comes down to not really knowing the product and I will point at both MCS and PSS in that regard. They tend to know the generic deployments and the pat answers. That doesn't work once you get to certain levels of complexity and size. It is like a paper MCSE going into a small site, they will be fine; a bigger site and they are an idiot. I actually think we have one of the better MCS consultants already here for E2K. Though I think he knows about 4 times more now than he knew when he walked in the door. He will admit to knowing probably twice as much. :op I think that is my biggest gripe with MS people is the lack of willingness to simply say, you know what, I don't know. Instead they will say something like that is god's word on it and then later it comes about that they thought it worked that way but in reality it doesn't. I think I have seen instances of that all the way up the MS chain but I haven't ever directly spoken with an Exchange Dev guy so maybe they know what is up and everyone else is losing the stuff in the translation. As a rule they won't let me near the Dev guys. I think it is because I ask too many difficult questions usually starting with why in the world On our side the issue is that this project stopped and started multiple times and management changed a couple of times and hardware vendors changed and storage changed, etc. Lots of crap, however I still blame MS for the bad design we have and the bad supportability review they did of the design. This delegate issue never should have seen the light of day but it goes back to my statement about them not really understanding how the product works. Public Folder shouldn't be an issue as we don't really allow their use. Occasionally someone will get something out there when a new server comes online and the ACL's get changed but that gets caught and they get killed. Pretty much we use Exchange for mail and calendar. None of the other stuff fancy stuff. If there was a decent calendar app outside of Exchange that integrated well with Mail that wouldn't have caused us massive migration headaches and custom writing of tons of code we would have probably went to it. RUS has been doing ok but then we really dumbed it down from what I understand. The email address stamping is all handled by our internal provisioning system. ADC has been a bit painful and in fact right now our European ADC just stops working every now and then with no error messages or nothing. Just stops. I am now embroiled in debate with PSS concerning the DSACCESS/DSPROXY/Categorizer document as I started reading it and found typoes and issues in it and things that I flat out don't think are correct. MS has done what they usually do which is to get to a point where the analysts is flying blind and wants to take things into a conference call. My personal feeling on that is so that it gets lost and dropped because the info isn't as well documented. The document did nothing to lull me into confidence of what was going on with us and in fact now has me concerned about the categorizer and what might possibly be breaking in that as it has verbage similar to the verbage for DSPROXY and I really think DSPROXY has issues with its DC scrubbing that it is supposedly doing. Outside of all the design issues we have with our specific implementation I am really concerned about the overall supportability of a large Exchange deployment. The tool set completely sucks that MS supplies and the documentation for writing your own tools is poor and inaccurate at best. I do not see how any large implementation of Exchange could
[ActiveDir] What is your favorite scripting language?
O'Reilly is hosting a poll for the most popular scripting language on the Windows platform. To vote for your favorite language, visit the O'Reilly website (http://www.oreilly.com/) and look on the right side of the page under O'Reilly Poll. FYI, Perl has the early lead and no I didn't vote twice :-) Regards, Robbie Allen http://www.rallenhome.com/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/