RE: [ActiveDir] OT: AD MMC Snap ins
If the AdminPak has never been installed on a given system, the snap-ins that are the Administrative Tools say, ADUC, should not be available. Are you saying that you have the snap-ins on a Win2k3 system with SP1 that you are certain the AdminPak was not installed on? Im unclear as to exactly what youre asking. And, yes I do view it as some degree of a Security Risk. As to how high of a risk, that all depends on factors in your environment. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Friday, August 19, 2005 2:15 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: AD MMC Snap ins Dear All, On a Windows Server 2003 Service Pack 1 member server that has not had the Adminpak.msi installed, so no AD tools appear in the Administrative tools on the Start Menu or in the control panel. If a new MMC is run from the command line and Add\Remove snap-in is selected should the AD Admin tools listed and registered (such as DSA.MSC)? I have had this on a test machine tonight and for me its potentially a security issue. Many thanks Mark
Re: [ActiveDir] OT: AD MMC Snap ins
I have checked at work today, systems that have never seen the admin pak, have the mmc snapins installed. Vanilla 2003 this is the case too. They are Just not visable under admin tools, but are available as mmc snapins, even without the adminpak installed. Mark -Original Message- From: Rick Kingslan [EMAIL PROTECTED] Date: Fri, 19 Aug 2005 07:26:21 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: AD MMC Snap ins If the AdminPak has never been installed on a given system, the snap-ins that are the Administrative Tools say, ADUC, should not be available. Are you saying that you have the snap-ins on a Win2k3 system with SP1 that you are certain the AdminPak was not installed on? Im unclear as to exactly what youre asking. And, yes I do view it as some degree of a Security Risk. As to how high of a risk, that all depends on factors in your environment. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Friday, August 19, 2005 2:15 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: AD MMC Snap ins Dear All, On a Windows Server 2003 Service Pack 1 member server that has not had the Adminpak.msi installed, so no AD tools appear in the Administrative tools on the Start Menu or in the control panel. If a new MMC is run from the command line and Add\Remove snap-in is selected should the AD Admin tools listed and registered (such as DSA.MSC)? I have had this on a test machine tonight and for me its potentially a security issue. Many thanks Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: AD MMC Snap ins
This as always been the case IIRC. The adminpack.msi set is if you want to install the admin tools on a workstation such XP or W2K Prof to allow you do admin. One of things that happens during a dcpromo process is the enabling and registering of all admin tools in the user interface rather than you having to open up the mmc console and manually add the snapins. Regards Peter Johnson -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: 19 August 2005 15:18 To: ActiveDir.org Subject: Re: [ActiveDir] OT: AD MMC Snap ins I have checked at work today, systems that have never seen the admin pak, have the mmc snapins installed. Vanilla 2003 this is the case too. They are Just not visable under admin tools, but are available as mmc snapins, even without the adminpak installed. Mark -Original Message- From: Rick Kingslan [EMAIL PROTECTED] Date: Fri, 19 Aug 2005 07:26:21 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: AD MMC Snap ins If the AdminPak has never been installed on a given system, the snap-ins that are the Administrative Tools say, ADUC, should not be available. Are you saying that you have the snap-ins on a Win2k3 system with SP1 that you are certain the AdminPak was not installed on? Im unclear as to exactly what youre asking. And, yes I do view it as some degree of a Security Risk. As to how high of a risk, that all depends on factors in your environment. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Friday, August 19, 2005 2:15 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: AD MMC Snap ins Dear All, On a Windows Server 2003 Service Pack 1 member server that has not had the Adminpak.msi installed, so no AD tools appear in the Administrative tools on the Start Menu or in the control panel. If a new MMC is run from the command line and Add\Remove snap-in is selected should the AD Admin tools listed and registered (such as DSA.MSC)? I have had this on a test machine tonight and for me its potentially a security issue. Many thanks Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: AD MMC Snap ins
Pardon me - you're absolutely correct. I, in my haste this morning, failed to note the WINDOWS SERVER 2003 SP1. Yes, they are installed and registered by default, but are only added to menus created for the appropriate application or in the Administrative tools. As mentioned, I do view this as some degree of risk, but much less now that I see that it's on Server. One, servers should have tight Interactive and physical controls (i.e. no console access or TS access, except to your most trusted). Two, no one should be able to install server in your environment without your knowledge or control without fear of serious, immediate and dismiss-able consequences. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Friday, August 19, 2005 8:18 AM To: ActiveDir.org Subject: Re: [ActiveDir] OT: AD MMC Snap ins I have checked at work today, systems that have never seen the admin pak, have the mmc snapins installed. Vanilla 2003 this is the case too. They are Just not visable under admin tools, but are available as mmc snapins, even without the adminpak installed. Mark -Original Message- From: Rick Kingslan [EMAIL PROTECTED] Date: Fri, 19 Aug 2005 07:26:21 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: AD MMC Snap ins If the AdminPak has never been installed on a given system, the snap-ins that are the Administrative Tools say, ADUC, should not be available. Are you saying that you have the snap-ins on a Win2k3 system with SP1 that you are certain the AdminPak was not installed on? Im unclear as to exactly what youre asking. And, yes I do view it as some degree of a Security Risk. As to how high of a risk, that all depends on factors in your environment. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Friday, August 19, 2005 2:15 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: AD MMC Snap ins Dear All, On a Windows Server 2003 Service Pack 1 member server that has not had the Adminpak.msi installed, so no AD tools appear in the Administrative tools on the Start Menu or in the control panel. If a new MMC is run from the command line and Add\Remove snap-in is selected should the AD Admin tools listed and registered (such as DSA.MSC)? I have had this on a test machine tonight and for me its potentially a security issue. Many thanks Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: AD MMC Snap ins
It comes as part of a server load. Any 2K/23 server will have it. Adminpak is for client OS. All you can do is ACL the msc files with a files system policy. Taking away ADUC rights is not going to stop anyone determined to see what they want. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Friday, August 19, 2005 8:18 AM To: ActiveDir.org Subject: Re: [ActiveDir] OT: AD MMC Snap ins I have checked at work today, systems that have never seen the admin pak, have the mmc snapins installed. Vanilla 2003 this is the case too. They are Just not visable under admin tools, but are available as mmc snapins, even without the adminpak installed. Mark -Original Message- From: Rick Kingslan [EMAIL PROTECTED] Date: Fri, 19 Aug 2005 07:26:21 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: AD MMC Snap ins If the AdminPak has never been installed on a given system, the snap-ins that are the Administrative Tools say, ADUC, should not be available. Are you saying that you have the snap-ins on a Win2k3 system with SP1 that you are certain the AdminPak was not installed on? Im unclear as to exactly what youre asking. And, yes I do view it as some degree of a Security Risk. As to how high of a risk, that all depends on factors in your environment. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Friday, August 19, 2005 2:15 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: AD MMC Snap ins Dear All, On a Windows Server 2003 Service Pack 1 member server that has not had the Adminpak.msi installed, so no AD tools appear in the Administrative tools on the Start Menu or in the control panel. If a new MMC is run from the command line and Add\Remove snap-in is selected should the AD Admin tools listed and registered (such as DSA.MSC)? I have had this on a test machine tonight and for me its potentially a security issue. Many thanks Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/