The books I mentioned are for those with a good understanding of what is going on with AD. A good starter book is Robbie and Alistaire's O'Reilly Active Directory book - The Cat Book.
Don't worry about asking questions, as mentioned before, that is what the list is about. I am just, hopefully, warning folks to not give specifics on how to hack DCs or domains. Best to not even hint at the ways to do it because A. You could be wrong B. You could be right The main thing to think of at all times is that LocalSystem is god, it is more powerful than any admin ID in the forest. Anything that can somehow get that access can do damage. The methods by which you get that access and what you do with it is what shouldn't be discussed in open forums. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, May 13, 2004 4:31 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] A root dc question Understood, but I think we're not seeing the trees for the forest here :) As I said earlier, I don't want a "how to" for AD hacking. Actually, I only wanted to know how dependent a child domain was on the root dc, which you've more than answered and I thank you all. Now i guess what i'm asking is just a good reference, not so i can figure out how to compromise a forest, but to understand how the AD internals work on a non-hand holding level so i can know among many other things, how such a thing could happen. Not how to do it. and, joe, if the 2 books you mentioned are the best start, then thats great and thanks. i know how tricky it is to answer some questions where the answer might prove dangerous or annoying at best, so i'm not asking for it. and i apologize for making you guys talk in circles. i guess the real answer is, "If you gotta ask, you don't know" my apologies to louis armstrong. Thanks again. -----Original Message----- From: joe [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 3:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] A root dc question There are multiple vectors which one could utilize. Discussing any of them probably isn't good because we don't have methods to protect against them except to limit who gets access to what in the first place and even that is not a guarantee, just puts that much more burden on the person trying to do damage. Ditto for various simple (and complex) D.O.S. techniques. I know of some real doozies but you won't catch me uttering them anywhere near a public forum and usually not even in private except with a very small closed set of people who I am positive have my back and would treat the info the same. The info isn't NDA but it actually isn't something I want people knowing about simply from the point of safety of me, myself, and my butt. This is one of the few things I am not all about being upfront and talkative about. If I saw an easy way for MS to correct the shortcomings I would probably spout until they did, I unfortunately do not so will remain mum except that it is possible and people should be careful on who they make domain admins or give an local logon DC access rights to. Once more... Domains are not security boundaries. If your enterprise admins do not feel they could be compromised, not many words you can use to convince them otherwise, they would have to see it or finally "see the light". I doubt proving the fact to them will get you enterprise admin, most likely it would get domain admin as well as any local logon rights to a DC removed from you. You could possibly, depending on your org, talk them into letting you have your own forest. That may even be tough. You can't fully protect a DC or a domain. However you should handle the easy ones like being very tight on who can log on or control services on a DC and who the admins are. The goal is to make it as difficult as possible to someone trying to do you harm while still maintaining needed functionality. There are some things that you have to make a very hard call on, be insecure or not allow someone functionality they think they need. I've had lots of people tell me they needed to be admins on domains, my security model has never been one though that I think their functionality requires reducing security. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, May 13, 2004 1:59 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] A root dc question you mean writing oneself into a GC in the root domain? its my understanding that GC's have a subset of all AD, but only have a read-only version of the domain parttion they are not a memeber of. so i couldn't just write myself into a GC in my domain for a uni group from another domain, no? as stated earlier, i don't want to "hack" my AD forest so please don't divluge any info you feel is compromising to AD secrity. I just want to be clear on and learn some AD internals i can't really seem to find in any book. i guess this is one of them, so if you can clarify without giving away a hack or hole, that would be great(if thats at all possible). thanks -----Original Message----- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 1:10 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] A root dc question Basically, ite because the GC (which is the same on all domain controllers within a forest) is writable on every domain, anyone with Domain Admin privs can write themselves into Universal Groups - one of which is Enterprise Admins - through a relatively trivial process (there are scripts available on the Internet, I believe). Last I checked, that means the child domain admin now has what amounts to local admin rights on every DC in every domain in the forest. In other words, they now 0wn your forest. -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: Kern, Tom [mailto:[EMAIL PROTECTED] > Sent: Thursday, May 13, 2004 10:20 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] A root dc question > > how would one force an escallation of privilges? is this just taking > advantage of a security hole in AD? or is this standard ability? a > backdoor to prevent a lockout, like the ability to change a domain > admin pw if you're physically at the machine with a linux boot disk? > and if its a flaw, why hasn't it been fixed by MS? > > -----Original Message----- > From: Roger Seielstad [mailto:[EMAIL PROTECTED] > Sent: Thursday, May 13, 2004 9:41 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] A root dc question > > > You'd be very, very wrong. Through *standard* practices, you're > correct. > However, you have sufficient rights to force an escallation of > privileges and insert your account into the Enterprise Admins > group.... > > -------------------------------------------------------------- > Roger D. Seielstad - MTS MCSE MS-MVP > Sr. Systems Administrator > Inovis Inc. > > > > -----Original Message----- > > From: Kern, Tom [mailto:[EMAIL PROTECTED] > > Sent: Thursday, May 13, 2004 9:16 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] A root dc question > > > > 1. what do you mean by "an admin in any domain has the power of > > being an Entrprise admin"? i, being a domain admin of a child > > domain, do not have the power to put myself into the Enterprise > > admins group. A domain or enterprise admin in the root domain would > > have to do that for me. > > > > Also, as a domain admin in a child domain, i'm kinda limited to the > > damage i could do to the forest, no?I mean, i could screw up my > > domain royally, but i can't really do anything to screw up the > > forest( and completly hosing my domain would only cause replication > > errors generated in event logs and some repointing of exchange > > servers to different GC's). i can't modify the schema or install an > > app that does it for me. i can't link a wrong headed GPO to a site > > or create one on the root or any other domain. i can't create a site > > or subnet. > > And if a crashed and burned all my DC's wouldn't AD remove them > > permantely after 60 days? > > > > I'm sorry to belabour the point here and waste your time, but i > > really want to make a good case for our IT dept to have enterprise > > admin access and show why multiple seperate domain admins for > > multiple domains is not a good idea. as well as further my knowldge > > of what can and can't be done and what can and can't be screwed up. > > i'd like to convince everyone that playing nice is in our best > > interest. > > thanks, and again, i apologize for rehashing old posts. > > > > -----Original Message----- > > From: joe [mailto:[EMAIL PROTECTED] > > Sent: Thursday, May 13, 2004 8:34 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] A root dc question > > > > > > Wow this is like d�j� vu, I swear we went through this whole thought > > process a month or two ago on here.... > > > > The quick summary (no I will not spout the whole thing, it should be > > in the > > archives) of what I recall > > > > 1. An admin in any domain has the power of being an > Enterprise Admin, > > domains ARE NOT security boundaries. Each child domain > should not have > > different admins because that can result in chaos and possible > > danger to the entire forest. > > > > 2. You can not do DR testing with just a child domain. > > > > 3. Either your corp IT has to be involved with your DR testing or > > you should redesign into multiple forests. > > > > > > > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom > > Sent: Wednesday, May 12, 2004 4:37 PM > > To: ActiveDir (E-mail) > > Subject: [ActiveDir] A root dc question > > > > My apologies if this seems basic and/or silly. > > > > > > Aside from creating new domains or modifying the schema, why would > > an admin need access to the root dc of a forest(the schema, domain > > namming master)? > > furthermore, why would an admin in a child domain need enterprise > > admin privilges? > > > > I only ask because we had issues with our test DR run wherein we > > didn't have access to the root domain and/or a test root domain > > vmware'd on a laptop and it ended miserably. > > i am in the process of convincing the higher ups in my corp of > > letting our IT dept have enterpise admin access. > > i'd like to make a case for us as to why we would need this accont > > with concrete examples(aside from the DR one). ones that a semi tech > > aware CIO could relate to. > > What other compelling reasons would one need these rights for in day > > to day(or not so day to day) AD administration? > > > > we are a multi-domain(14) win2k forest in mixed mode with exchange2k > > in native mode. > > > > Thank you in advance for any assitance. > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
