I'm really surprised that a virus hasn't tried to use AD as a possible source of new users/computers to attack. It is real easy to write a query to enumerate every user in the domain. Even though Authenticated Users can't read all attributes of users, there are still plenty that are readable. And then there is the issue of modifying the attributes granted to SELF. There are several other ways AD could be used maliciously, but I don't want to give anyone ideas ;-) This really could become a problem (and a difficult one to solve).
As you mentioned, by just looking at DNS, you could get all of the DCs, DNS servers, mail servers, etc. and start spamming them (unless you aren't populating all of them in DNS). I think all the virus writers have been programming geeks/kiddies. A clueful Sys Admin could devise much more creative/damaging exploits than we've seen so far ;-) To my knowledge there is no way to limit the number of LDAP queries per second. The best you can do is monitor the number of LDAP queries per second (available from Perfmon). It is also good to monitor expensive/inefficient queries (see recipe 15.8). Robbie Allen http://www.rallenhome.com/ > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Roger Seielstad > Sent: Thursday, December 11, 2003 4:36 PM > To: '[EMAIL PROTECTED]' > Subject: RE: AD as a possible target of attack? RE: > [ActiveDir] Virus soft wareon DC > > I'm not as worried about malicious, entry changing attacks > due to the built in security model. Its cake and pie to do a denial of service > attack against an LDAP system. Add to that a simple DNS query to find all > the DC's, and the whole domain drops like a lead filled balloon. > > Is there a way to limit the number of LDAP queries per second > on a DC, at least from a specific source address? > > Roger > -------------------------------------------------------------- > Roger D. Seielstad - MTS MCSE MS-MVP > Sr. Systems Administrator > Inovis Inc. > > > > -----Original Message----- > > From: GRILLENMEIER,GUIDO (HP-Germany,ex1) > > [mailto:[EMAIL PROTECTED] > > Sent: Thursday, December 11, 2003 4:14 PM > > To: [EMAIL PROTECTED] > > Subject: RE: AD as a possible target of attack? RE: > > [ActiveDir] Virus soft wareon DC > > > > > > I don't even think you have to restrict the AD-related virus > > issue to the > > file-system. > > > > Something that your AV tools won't help you with is a > > "virus", that simply > > runs malicious LDAP queries - i.e. changing all kinds of > attributes on > > objects in AD or even delete a whole lot of objects at > > once... Obviously > > this virus would only be harmful for users with appropriate > > permissions on > > the AD objects. > > > > Again, AD will ensure that these malicious changes are > > replicated to all DCs > > and you could end up with quite a disaster which is certainly > > not very easy > > to recover of. > > > > /Guido > > > > -----Original Message----- > > From: Tony Murray [mailto:[EMAIL PROTECTED] > > Sent: Donnerstag, 11. Dezember 2003 14:55 > > To: [EMAIL PROTECTED] > > Subject: Re: AD as a possible target of attack? RE: > [ActiveDir] Virus > > softwareon DC > > > > > DO scan your DCs and reconsider excluding things like the Sysvol > > > > I fully agree with you here, John. I have seen for myself > > how good FRS is > > at distributing viruses throughout the infrastructure in > > short period of > > time!! Some of the major AV vendors previously had products > > that caused > > problems when scanning SYSVOL, but the recent offerings have > > resolved this. > > Bottom line: there is no good reason not to include SYSVOL > > (as long as > > you've checked with your AV vendor first). > > > > Tony > > > > ---------- Original Message ---------------------------------- > > Wrom: NNYCGPKYLEJGDGVCJVTLBXFGGMEPYOQKEDOTWFAOBUZXU > > Reply-To: [EMAIL PROTECTED] > > Date: Wed, 10 Dec 2003 23:18:52 +0100 > > > > I totally agree with all the guys out there that urge you > to scan your > > DCs!!! I've been thinking about this issue for some time and > > I've come to > > the conclusion that Active Directory would be THE IDEAL > > target for a virus > > attack. The robustness of AD replication makes it the ideal > > distribution > > mechanism for virusses. Hey ... distributing virusses by mail > > is ancient > > technology ;-). Why not use the intense integration of > > Exchange 2000+ and AD > > to transport a virus from Exchange to AD? > > > > No guys... I'm very serious! DO scan your DCs and > reconsider excluding > > things like the Sysvol because this is another possible > > target for the sick > > minds out there that like to screw up enterprise > > environments! It's only a > > matter of time before the first AD virus is a fact of life we > > have to deal > > with! > > > > So go out and check (before you go to bed) whether or not > > dat-file updates > > are really succeeding ;-). > > > > Cheers! > > John > > > > > > -----Original Message----- > > Wrom: WLSZLKBRNVW > > To: [EMAIL PROTECTED] > > Sent: 10-12-2003 18:07 > > Subject: RE: [ActiveDir] Virus software on DC > > > > Sorry, I have to throw-in my two cents. I exclude the sysvol/sysvol > > folder and sub-folders, but run the real-time scanner on everything > > else. These two folders deal with replication and are too > volatile to > > play with. > > > > S > > > > ***************************************** > > Steve Shaff > > Active Directory / Exchange Administrator > > Corillian Corporation > > (W) 503.629.3538 (C) 503.807.4797 (F) 503.629.3674 > > > > > > -----Original Message----- > > Wrom: WCUFPEGAUTFJMVRESKPNKMBIPBARHDMNNS > > [mailto:[EMAIL PROTECTED] On Behalf Of > > Burkes, Jeremy > > [contractor] > > Sent: Wednesday, December 10, 2003 8:52 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] Virus software on DC > > > > Same here, never had any problems either. > > > > Jeremy > > > > -----Original Message----- > > Wrom: KVFVWRKJVZCMHVIBGDADRZFSQHYUCDDJBLVLMHAALPTCXLYRWTQTIPWI > > Sent: Wednesday, December 10, 2003 11:47 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] Virus software on DC > > > > > > We run Symantec AV corporate edition and don't exclude any > > directories. > > We haven't had any problems related to AV software...... > > > > -----Original Message----- > > Wrom: GYOKSTTZRCLBDXRQBGJSNBOHMKHJYFMYXO > > [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob > > Sent: Wednesday, December 10, 2003 11:42 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] Virus software on DC > > > > >What directories should I not be scanning? > > > > We use the exclusions in this list- > > > > 822158 - Virus Scanning Recommendations on a Windows 2000 Domain > > Controller: > > http://support.microsoft.com/default.aspx?scid=kb;en-us;822158 > > > > > > ________________________________ > > > > Wrom: EAIJJPHSCRTNHGSWZIDREXCAXZOWCONEUQZAAFX > > Sent: Wednesday, December 10, 2003 8:30 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] Virus software on DC > > > > > > We run Trend here. > > Never have run into any issues and we are using the realtime > > scan. > > Just out of curiosity though, I am scanning all except for a few > > select dirs/ > > What directories should I not be scanning? > > > > > > > > John Parker, MCSE > > IS Admin. > > Senior Technical Specialist > > Alpha Display Systems. > > > > Alpha Video > > 7711 Computer Ave. > > Edina, MN. 55435 > > > > 952-896-9898 Local > > 800-388-0008 Watts > > 952-896-9899 Fax > > 612-804-8769 Cell > > 952-841-3327 Direct > > > > [EMAIL PROTECTED] > > "Be excellent to each other" > > ---End of Line--- > > > > > > -----Original Message----- > > Wrom: ISHJEXXIMQZUIVOTQNQEMSFDULHPQQWOYIYZUNNYCG > > Sent: Wednesday, December 10, 2003 10:24 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] Virus software on DC > > > > > > > > I do, but I exclude the AD files, and I do not have real-time > > scanning enabled, just periodic scheduled scans. Does not > > seem to cause > > any problems. > > > > > > > > <mc> > > > > -----Original Message----- > > Wrom: PKYLEJGDGVCJVTLBXFGGMEPYOQKEDOTWFAOBUZXUWLS > > Sent: Wednesday, December 10, 2003 11:17 AM > > To: [EMAIL PROTECTED] > > Subject: [ActiveDir] Virus software on DC > > > > > > > > This may be a dumb question, but do you guys have virus scanning > > software on your DCs? I have been confused if the virus > scanner slows > > the machine down or not. Thanks > > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > List info : > > http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > List info : > > http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
