RE: [ActiveDir] Hardening Active Directory

[Larry A. Duncan]

Title: Message

Thanks for clarifying, Gil. This is great information.   Larry A. Duncan, MCSA/MCSE Solutions Architect, CompTrends Consulting [EMAIL PROTECTED] http://www.comptrends.com/ ph. 615.598.0241   DMOZ: Systems_Management/Installers LAUNCHCast Radio: 1237556939 Columnist: myITForum.com Author: Windows & .NET Magazine   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Gil Kirkpatrick Sent: Friday, December 27, 2002 1:14 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Hardening Active Directory   Hey Larry,   It was a problem one of our customers experienced after deploying the NSA templates in their test lab a few days before production deployment. He frequents the list so may be able to give details, but as I understand it, one of the policy settings on their DCs was to "shutdown on audit failure". I'm not clear on the the specifics on the audit failure, but when the machine went down, it corrupted something (perhaps the audit log?) and then would come back up and then fail again. There was also some issue of "removing the Everyone group from the template" (I'm reading from our support log) but I don't know what this means exactly.   Hopefully the person who had the problem can describe the problem in more detail on-list, or at least get with you offline.   The problem has been experienced by several people that I'm aware of.   -gil     -----Original Message----- From: Larry A. Duncan [mailto:[EMAIL PROTECTED]] Sent: Friday, December 27, 2002 11:31 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Hardening Active Directory Can you expand, Gil? I'd rather not find out the hard way... J   Larry A. Duncan, MCSA/MCSE Solutions Architect, CompTrends Consulting [EMAIL PROTECTED] http://www.comptrends.com/ ph. 615.598.0241   DMOZ: Systems_Management/Installers LAUNCHCast Radio: 1237556939 Columnist: myITForum.com Author: Windows & .NET Magazine   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Gil Kirkpatrick Sent: Friday, December 27, 2002 11:43 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Hardening Active Directory   Like the infamous "all my DCs just start rebooting themselves every 15 minutes" problem? ;-)   -gil -----Original Message----- From: Tim Hines [mailto:[EMAIL PROTECTED]] Sent: Friday, December 27, 2002 10:35 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Hardening Active Directory Make sure that you test any security recommendations in a lab before deploying them on your network.  I have seen some of the templates from the NSA cause problems.      Tim Hines, MCSA, MCSE (2000 & NT4) MVP - Active Directory         ----- Original Message ----- From: Larry A. Duncan   To: [EMAIL PROTECTED] Sent: Friday, December 27, 2002 11:29 AM Subject: RE: [ActiveDir] Hardening Active Directory   Best Practices for Designing a Secure Active Directory http://fetchportal.com/click_thru.asp?LinkId=131   Ops Guide for Securing Active Directory http://fetchportal.com/links.asp?CatId=21     Larry A. Duncan, MCSA/MCSE Solutions Architect, CompTrends Consulting [EMAIL PROTECTED] http://www.comptrends.com/ ph. 615.598.0241   DMOZ: Systems_Management/Installers LAUNCHCast Radio: 1237556939 Columnist: myITForum.com Author: Windows & .NET Magazine   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Brad Martin Sent: Friday, December 27, 2002 10:11 AM To: Active Directory Mailing List Subject: [ActiveDir] Hardening Active Directory   Anyone have any good links with tips on securing Active Directory?  I'm going to have a couple of AD servers out on the Net, so I want to do what I can to lock them down.   Brad Martin Go Daddy Software [EMAIL PROTECTED] 480.505.8800 ext. 250