RE: [ActiveDir] scripting admin
But of course :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, April 16, 2004 4:44 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] scripting admin And you are writing this in perl I assume? - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robbie Allen (rallen) Sent: Thursday, April 15, 2004 8:23 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] scripting admin On a related note, I'm working on a VBScript to Perl code converter. Input some VBScript code and output the (roughly) equivalent Perl code. I just started a couple of weeks ago, but should have something in a month or so if anyone is interested. Robbie Allen http://www.rallenhome.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Wednesday, April 14, 2004 2:38 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] scripting admin I'll second this. I've only run into one thing where I couldn't get Perl to work (deep, dark, ugly MAPI stuff...) Other than that, it's almost trivial to look at VBScript and convert it to perl. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, April 13, 2004 11:17 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] scripting admin I say Perl... The activestate dist is great. I am not aware of anything off the top of my head you can do in vbscript that you can't do in perl. You may want to learn enough vbscript to convert vbscripts others have written to perl. Overall for really simple things vbscript may be easier at first glance, but as the complexity rises vbscript shows its issues and perl starts to shine. Grab Robbie Allen's AD Cookbook which has some perl in it, also his Managing Enterprise Active Directory Services has quite a bit of perl in it. Most everything I tend to post here in terms of scripts and do in general is perl. joe - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Tuesday, April 13, 2004 10:32 PM To: ActiveDir (E-mail) Subject: [ActiveDir] scripting admin sorry for what is more of a personal advice question- i'm a perl guy and i was wondering if for proper windows scripting, should i learn VBscript or can i get away with most admining with perl and activestate. i run a couple of linux and unix servers, so perl makes sense, but would it behove me to learn VBscript or even VB to effectively script my win2k ad enviorment or can i get away with perl and its integer conversion et al and be a good admin mastering only one lang? thanks in advance List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] scripting admin
On a related note, I'm working on a VBScript to Perl code converter. Input some VBScript code and output the (roughly) equivalent Perl code. I just started a couple of weeks ago, but should have something in a month or so if anyone is interested. Robbie Allen http://www.rallenhome.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Wednesday, April 14, 2004 2:38 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] scripting admin I'll second this. I've only run into one thing where I couldn't get Perl to work (deep, dark, ugly MAPI stuff...) Other than that, it's almost trivial to look at VBScript and convert it to perl. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, April 13, 2004 11:17 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] scripting admin I say Perl... The activestate dist is great. I am not aware of anything off the top of my head you can do in vbscript that you can't do in perl. You may want to learn enough vbscript to convert vbscripts others have written to perl. Overall for really simple things vbscript may be easier at first glance, but as the complexity rises vbscript shows its issues and perl starts to shine. Grab Robbie Allen's AD Cookbook which has some perl in it, also his Managing Enterprise Active Directory Services has quite a bit of perl in it. Most everything I tend to post here in terms of scripts and do in general is perl. joe - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Tuesday, April 13, 2004 10:32 PM To: ActiveDir (E-mail) Subject: [ActiveDir] scripting admin sorry for what is more of a personal advice question- i'm a perl guy and i was wondering if for proper windows scripting, should i learn VBscript or can i get away with most admining with perl and activestate. i run a couple of linux and unix servers, so perl makes sense, but would it behove me to learn VBscript or even VB to effectively script my win2k ad enviorment or can i get away with perl and its integer conversion et al and be a good admin mastering only one lang? thanks in advance List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Integrate Linux with AD
Depends on what you want to do. As far as allowing Linux clients to authenticate against AD, SFU doesn't do everything. The solutions guide is ok, but don't give it to any of your Linux/UNIX people to read ;-) Regards, Robbie Allen http://www.rallenhome.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jennifer Fountain Sent: Friday, February 06, 2004 5:12 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Integrate Linux with AD Hot off the press. Solution Guide for Windows Security and Directory Services for UNIX Using Active Directory and Kerberos for authentication and identity store in a heterogeneous UNIX and Windows IT environment. http://www.microsoft.com/downloads/details.aspx?FamilyId=144F7 B82-65CF-4105- B60C-44515299797Damp;displaylang=en Could I use Services for Unix? Would that work instead of buying VAS? Jennifer List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] How to track object deletion?
FYI, lastKnownParent is not supported on W2K. Robbie Allen http://www.rallenhome.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Tuesday, January 20, 2004 9:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] How to track object deletion? Joe- In Server 2003, lastKnownParent is reliably populated with the last known home of the deleted object. However, I've not tried Win2K and its quite possibly not. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, January 20, 2004 2:03 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] How to track object deletion? Hey Darren have you ever seen that attribute populated? I don't recall ever seeing it on any objects. I never looked deeply into it though to see what it was legally linked to. Joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Monday, January 19, 2004 3:02 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] How to track object deletion? Check the lastKnownParent attribute on the deleted object. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, January 19, 2004 7:37 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] How to track object deletion? Hello, AD gurus. I' ve been developing a DirSync program that tracks for object changes in AD. Everything is fine except for object deletion. When AD object is deleted, as everybody knows here, it is tombstoned. As I figured out that means that the object is moved to the hidden container called 'Deleted Objects'. So when I delete an object DirSync returns me the following CN=user1\DEL:5fce35d1-42dc-4d42-b4d6-fd4a5c773acd,CN=Deleted Objects,DC=sbhbd1,DC=local as the DN of changed object. In the example above I deleted object with DN: CN=user1,CN=Users, DC=sbhbd1,DC=local. But I've lost some part of original object DN like: * ,CN=Users, * The question is: How to track AD objects deletion? I need to know object original DN, but AD hides it from me. I don't want to keep a copy of original AD or whatever similar to it. Thanks in advance! -- Best regards, (mailto:[EMAIL PROTECTED])19.01.2004, 18:27 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDIFDE and Perl...
You can find a bunch of Perl Net::LDAP examples here: http://www.rallenhome.com/books/managingenterprisead/code.html And the cookbook code page has a lot of Perl ADSI examples: http://www.rallenhome.com/books/adcookbook/code.html Let me know if you have any questions. Robbie Allen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Thursday, January 15, 2004 1:09 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] LDIFDE and Perl... I need to import 1500 user accounts into a test environment, I would like to use LDIFDE. First is there an easy way to batch or create dummy accounts for a test environment without having to type each one, and second can any of this be done with Perl? I will also be consulting the Cookbook! Thanks in advance. Mike List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] 2003 NTDS.DIT size
Title: Message W2K3AD does single instance store of security descriptors which can save a lot of space over W2K AD. Robbie Allen http://www.rallenhome.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Thursday, January 15, 2004 8:51 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] 2003 NTDS.DIT size I blame it on cold water. Oh, you don't mean that shrinkage. From what I understand, its due to improvements in the database format and how data is stored within. I'm guessing that they've rearranged the table structures to better fit the actual usage patterns. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Joe Baguley [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 8:40 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 2003 NTDS.DIT size DIT size decreases are certainly what I am seeing in the field, with an 80,000 user AD I deal with shrinking in a similar fashion to the Compaq/HP one described below... Surely some people on here will be able to explain the shrinkage From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: 15 January 2004 13:19To: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] 2003 NTDS.DIT size According to Tony Redmond's Exchange 2003 book, the HP/Compaq combined DIT file was 12GB in AD on Win2k and dropped to 7GB under 2003. Not sure how typical that is. I'd think worst case you'd end up about the same place you are now. IIRC, there aren't that many schema changes, so the structural size shouldn't change that much. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Parker, Edward [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 8:03 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] 2003 NTDS.DIT size All, We have 53,000 user AD environment. The current size of the NTDS.DIT is just under 2GB. I am reading Chapter 9 of the 2003 planning document and on page 368 it states: "On the drive that will contain the Active Directory database, NTDS.dit, provide 0.4 gigabytes (GB) of storage for each 1,000 users. ..." Now, if this is true, that is saying when I upgrade to 2003, my database will grow from 2GB to 21GB. This seems a little hard to believe. We are going to be doing this in the lab shortly, but we are planning additional hardware, and this seems a little "off". Can anyone confirm this?
RE: [ActiveDir] What is your favorite scripting language?
I wrote an article about this topic a few weeks ago: http://www.oreillynet.com/pub/a/network/2003/11/18/activedir_ckbk.html There was a fair amount of discussion (at the end of the article) so I asked O'Reilly to host the poll. Robbie Allen http://www.rallenhome.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Friday, December 12, 2003 10:29 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] What is your favorite scripting language? I'm afraid to ask... but... why is Perl the preferred language (besides it works on Unix/Linux)? Rich -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Thursday, December 11, 2003 10:13 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] What is your favorite scripting language? But I did :oP joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robbie Allen (rallen) Sent: Thursday, December 11, 2003 8:52 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] What is your favorite scripting language? O'Reilly is hosting a poll for the most popular scripting language on the Windows platform. To vote for your favorite language, visit the O'Reilly website (http://www.oreilly.com/) and look on the right side of the page under O'Reilly Poll. FYI, Perl has the early lead and no I didn't vote twice :-) Regards, Robbie Allen http://www.rallenhome.com/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC
I'm really surprised that a virus hasn't tried to use AD as a possible source of new users/computers to attack. It is real easy to write a query to enumerate every user in the domain. Even though Authenticated Users can't read all attributes of users, there are still plenty that are readable. And then there is the issue of modifying the attributes granted to SELF. There are several other ways AD could be used maliciously, but I don't want to give anyone ideas ;-) This really could become a problem (and a difficult one to solve). As you mentioned, by just looking at DNS, you could get all of the DCs, DNS servers, mail servers, etc. and start spamming them (unless you aren't populating all of them in DNS). I think all the virus writers have been programming geeks/kiddies. A clueful Sys Admin could devise much more creative/damaging exploits than we've seen so far ;-) To my knowledge there is no way to limit the number of LDAP queries per second. The best you can do is monitor the number of LDAP queries per second (available from Perfmon). It is also good to monitor expensive/inefficient queries (see recipe 15.8). Robbie Allen http://www.rallenhome.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, December 11, 2003 4:36 PM To: '[EMAIL PROTECTED]' Subject: RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC I'm not as worried about malicious, entry changing attacks due to the built in security model. Its cake and pie to do a denial of service attack against an LDAP system. Add to that a simple DNS query to find all the DC's, and the whole domain drops like a lead filled balloon. Is there a way to limit the number of LDAP queries per second on a DC, at least from a specific source address? Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Thursday, December 11, 2003 4:14 PM To: [EMAIL PROTECTED] Subject: RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC I don't even think you have to restrict the AD-related virus issue to the file-system. Something that your AV tools won't help you with is a virus, that simply runs malicious LDAP queries - i.e. changing all kinds of attributes on objects in AD or even delete a whole lot of objects at once... Obviously this virus would only be harmful for users with appropriate permissions on the AD objects. Again, AD will ensure that these malicious changes are replicated to all DCs and you could end up with quite a disaster which is certainly not very easy to recover of. /Guido -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Donnerstag, 11. Dezember 2003 14:55 To: [EMAIL PROTECTED] Subject: Re: AD as a possible target of attack? RE: [ActiveDir] Virus softwareon DC DO scan your DCs and reconsider excluding things like the Sysvol I fully agree with you here, John. I have seen for myself how good FRS is at distributing viruses throughout the infrastructure in short period of time!! Some of the major AV vendors previously had products that caused problems when scanning SYSVOL, but the recent offerings have resolved this. Bottom line: there is no good reason not to include SYSVOL (as long as you've checked with your AV vendor first). Tony -- Original Message -- Wrom: NNYCGPKYLEJGDGVCJVTLBXFGGMEPYOQKEDOTWFAOBUZXU Reply-To: [EMAIL PROTECTED] Date: Wed, 10 Dec 2003 23:18:52 +0100 I totally agree with all the guys out there that urge you to scan your DCs!!! I've been thinking about this issue for some time and I've come to the conclusion that Active Directory would be THE IDEAL target for a virus attack. The robustness of AD replication makes it the ideal distribution mechanism for virusses. Hey ... distributing virusses by mail is ancient technology ;-). Why not use the intense integration of Exchange 2000+ and AD to transport a virus from Exchange to AD? No guys... I'm very serious! DO scan your DCs and reconsider excluding things like the Sysvol because this is another possible target for the sick minds out there that like to screw up enterprise environments! It's only a matter of time before the first AD virus is a fact of life we have to deal with! So go out and check (before you go to bed) whether or not dat-file updates are really succeeding ;-). Cheers! John -Original Message- Wrom: WLSZLKBRNVW To: [EMAIL PROTECTED] Sent: 10-12-2003 18:07 Subject: RE: [ActiveDir] Virus software on DC Sorry, I
RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC
I don't think it would take all that many clients if they used a threaded app that spawned a bunch of simultaneous sessions to different DCs. Heck, I've seen a single client cause the number of queries per second on a DC to go from 80 to ~1000 for a 30 minute span. Now this didn't cause the CPU to spike greatly, but it did cause other clients using that DC to get intermittent AD/LDAP errors. As far as denying IPs, that was available in W2K, but it was removed (at least from ntdsutil) in W2K3. I was told that it wouldn't be supported anymore in W2K3 (I haven't tested to see if it works still). That would be unfortunate if it isn't supported. Robbie Allen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Thursday, December 11, 2003 5:38 PM To: '[EMAIL PROTECTED]' Subject: RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC The problem with the built-in security model is that in most environments its easy to get around it by using one of the various LocalSystem escalations on the DC. All of a sudden the ACLs are meaningless, and AD will happily replicate the corrupted data for you. Its hard to do a system wide denial-of-service by flooding the DCs with queries (I assume this is what you were talking about) because of the number of clients you would have to bring to bear. It takes a lot of clients to generate enough traffic to kill a DC, and a lot more to kill all the DCs in the system. And if the clients are connected to the DCs via slower WAN links, its probably impossible. You can disable anonymous queries (already done by default in W2K3), and you can configure IP addresses to deny connections from, but I don't know of a way to limit the number of LDAP queries per second. Sounds like a cool feature. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, December 11, 2003 2:36 PM To: '[EMAIL PROTECTED]' Subject: RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC I'm not as worried about malicious, entry changing attacks due to the built in security model. Its cake and pie to do a denial of service attack against an LDAP system. Add to that a simple DNS query to find all the DC's, and the whole domain drops like a lead filled balloon. Is there a way to limit the number of LDAP queries per second on a DC, at least from a specific source address? Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Thursday, December 11, 2003 4:14 PM To: [EMAIL PROTECTED] Subject: RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC I don't even think you have to restrict the AD-related virus issue to the file-system. Something that your AV tools won't help you with is a virus, that simply runs malicious LDAP queries - i.e. changing all kinds of attributes on objects in AD or even delete a whole lot of objects at once... Obviously this virus would only be harmful for users with appropriate permissions on the AD objects. Again, AD will ensure that these malicious changes are replicated to all DCs and you could end up with quite a disaster which is certainly not very easy to recover of. /Guido -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Donnerstag, 11. Dezember 2003 14:55 To: [EMAIL PROTECTED] Subject: Re: AD as a possible target of attack? RE: [ActiveDir] Virus softwareon DC DO scan your DCs and reconsider excluding things like the Sysvol I fully agree with you here, John. I have seen for myself how good FRS is at distributing viruses throughout the infrastructure in short period of time!! Some of the major AV vendors previously had products that caused problems when scanning SYSVOL, but the recent offerings have resolved this. Bottom line: there is no good reason not to include SYSVOL (as long as you've checked with your AV vendor first). Tony -- Original Message -- Wrom: NNYCGPKYLEJGDGVCJVTLBXFGGMEPYOQKEDOTWFAOBUZXU Reply-To: [EMAIL PROTECTED] Date: Wed, 10 Dec 2003 23:18:52 +0100 I totally agree with all the guys out there that urge you to scan your DCs!!! I've been thinking about this issue for some time and I've come to the conclusion that Active Directory would be THE IDEAL target for a virus attack. The robustness of AD replication makes it the ideal distribution mechanism for virusses. Hey ... distributing virusses by mail is ancient technology ;-). Why not use the intense integration of
RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC
Neither that I recall. CPU was around 30-40%. In my experience it is not uncommon to see occasional LDAP errors when the CPU reaches that level on DCs (at least with W2K). Robbie Allen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Thursday, December 11, 2003 6:37 PM To: '[EMAIL PROTECTED]' Subject: RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC I usually have to run about 10 authentication threads on each of 5 machines to get the CPU over 50% on my 1GHz P3 server. Of course the DIT is essentially empty. I suppose that having them issue some complex query over a large DIT would alter that picture substantially. That's interesting that clients were getting intermittent errors even though the CPU wasn't pegged. Was the disk or network saturated? -g -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robbie Allen (rallen) Sent: Thursday, December 11, 2003 4:00 PM To: [EMAIL PROTECTED] Subject: RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC I don't think it would take all that many clients if they used a threaded app that spawned a bunch of simultaneous sessions to different DCs. Heck, I've seen a single client cause the number of queries per second on a DC to go from 80 to ~1000 for a 30 minute span. Now this didn't cause the CPU to spike greatly, but it did cause other clients using that DC to get intermittent AD/LDAP errors. As far as denying IPs, that was available in W2K, but it was removed (at least from ntdsutil) in W2K3. I was told that it wouldn't be supported anymore in W2K3 (I haven't tested to see if it works still). That would be unfortunate if it isn't supported. Robbie Allen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Thursday, December 11, 2003 5:38 PM To: '[EMAIL PROTECTED]' Subject: RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC The problem with the built-in security model is that in most environments its easy to get around it by using one of the various LocalSystem escalations on the DC. All of a sudden the ACLs are meaningless, and AD will happily replicate the corrupted data for you. Its hard to do a system wide denial-of-service by flooding the DCs with queries (I assume this is what you were talking about) because of the number of clients you would have to bring to bear. It takes a lot of clients to generate enough traffic to kill a DC, and a lot more to kill all the DCs in the system. And if the clients are connected to the DCs via slower WAN links, its probably impossible. You can disable anonymous queries (already done by default in W2K3), and you can configure IP addresses to deny connections from, but I don't know of a way to limit the number of LDAP queries per second. Sounds like a cool feature. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, December 11, 2003 2:36 PM To: '[EMAIL PROTECTED]' Subject: RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC I'm not as worried about malicious, entry changing attacks due to the built in security model. Its cake and pie to do a denial of service attack against an LDAP system. Add to that a simple DNS query to find all the DC's, and the whole domain drops like a lead filled balloon. Is there a way to limit the number of LDAP queries per second on a DC, at least from a specific source address? Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Thursday, December 11, 2003 4:14 PM To: [EMAIL PROTECTED] Subject: RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC I don't even think you have to restrict the AD-related virus issue to the file-system. Something that your AV tools won't help you with is a virus, that simply runs malicious LDAP queries - i.e. changing all kinds of attributes on objects in AD or even delete a whole lot of objects at once... Obviously this virus would only be harmful for users with appropriate permissions on the AD objects. Again, AD will ensure that these malicious changes are replicated to all DCs and you could end up with quite a disaster which is certainly not very easy to recover of. /Guido -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Donnerstag, 11. Dezember 2003 14
[ActiveDir] What is your favorite scripting language?
O'Reilly is hosting a poll for the most popular scripting language on the Windows platform. To vote for your favorite language, visit the O'Reilly website (http://www.oreilly.com/) and look on the right side of the page under O'Reilly Poll. FYI, Perl has the early lead and no I didn't vote twice :-) Regards, Robbie Allen http://www.rallenhome.com/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
