Yeah, I love/hate that guy....
> From: joe <[EMAIL PROTECTED]> > Reply-To: <[EMAIL PROTECTED]> > Date: Thu, 27 May 2004 19:22:10 -0400 > To: <[EMAIL PROTECTED]> > Subject: RE: [ActiveDir] Domain Controller Security... > > Nope but it doesn't matter. If they can install a service (or replace a file > a service uses) they have too much power, let alone schedule a task. Heck > when you get down to it, physical access to the box is all that is needed > but we try to forget that one or else no one would ever put a DC anywhere > but within their eyesight and then only in a sealed room with 4 locks on > steel doors. > > The whole thing as we have pointed out time and again is trust and > compensating controls. You will never be 100% secure, what you do is try to > make as few concessions as you possibly can. Not allowing people normal > interactive access or the ability to write to the disk system is one layer > that I absolutely recommend for Domain Controllers. Also don't recommend > giving hardly anyone access to AD via builtin groups such as acc op and > admin and dom admin, etc. Again, this can be compromised but it does require > even more intent and knowledge to pull off. Also you don't accidently get > viruses and other things running on DCs you shouldn't have there. > > I am actually waiting for the offline password editor dude who makes the > bootable floppy/cd to do the next logical step to help get onto 2K+ Domain > Controllers. That guy is bright, I am actually surprised he hasn't gone > ahead and done it already. > > joe > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky > Sent: Monday, May 24, 2004 6:26 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Domain Controller Security... > > You can restrict access to Task Scheduler using GPO (Admin Templates\Windows > Components\Task Scheduler) and by changing permissions on %SYSTEMROOT%\Tasks > folder, but there are other ways around. > > BTW, I remember reading somewhere that "at" command uses old style API which > is not enforced by GPO, and therefore the only way around is to change the > ACL on Tasks folder. Anyone remembers the details ? > > Guy > > On Mon, 2004-05-24 at 14:44, Roger Seielstad wrote: >> The problem, as you're most likely aware, is that server admins have >> access to the Task Scheduler, which means they can kick things off as >> LocalSystem, which means the DC is then 0wn3d.(owned) >> >> Not sure what I'd do in your shoes. I'm fortunate enough to have >> really good IT folk in my remote locations with DCs. I'm also >> fortunate enough to be 6'5" tall, built like an NFL lineman, and have >> an expense account with which I can purchase plane tickets to their >> location to engage in what my ex-Army junior admin refers to as "wall to > wall counseling." >> >> Roger >> -------------------------------------------------------------- >> Roger D. Seielstad - MTS MCSE MS-MVP >> Sr. Systems Administrator >> Inovis Inc. >> >> >>> -----Original Message----- >>> From: Chris Lynch [mailto:[EMAIL PROTECTED] >>> Sent: Friday, May 21, 2004 5:11 PM >>> To: [EMAIL PROTECTED] >>> Subject: RE: [ActiveDir] Domain Controller Security... >>> >>> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> I know. I agree that this isn't good security practice. I wouldn't >>> recommend this as well. But, for the lack of space in most >>> locations (and we are only talking about 4 locations), we would just >>> like to give the local tech access to that DC only and no other DC >>> in the domain. I can restrict them to log onto that DC local to >>> them only (via GPO). I might just give them Server Operators >>> rights, restrict them to log onto that DC only, and call it a day. >>> >>> Thanks, >>> >>> Chris >>> >>>> -----Original Message----- >>>> From: [EMAIL PROTECTED] >>>> [mailto:[EMAIL PROTECTED] On Behalf Of Roger >>>> Seielstad >>>> Sent: Friday, May 21, 2004 10:19 AM >>>> To: [EMAIL PROTECTED] >>>> Subject: RE: [ActiveDir] Domain Controller Security... >>>> >>>> True... I musta read half the question (again). >>>> >>>> >>>> -------------------------------------------------------------- >>>> Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator >>>> Inovis Inc. >>>> >>>> >>>>> -----Original Message----- >>>>> From: joe [mailto:[EMAIL PROTECTED] >>>>> Sent: Friday, May 21, 2004 12:41 PM >>>>> To: [EMAIL PROTECTED] >>>>> Subject: RE: [ActiveDir] Domain Controller Security... >>>>> >>>>> I am not sure that fits his requirements for this one... >>>>> >>>>> Sounds like he is file sharing from the DC (not something I >>>> personally >>>>> recommend) and obviously it would be a bit much to dcpromo down >>>>> and back up to add a new share. >>>>> >>>>> joe >>>>> >>>>> -----Original Message----- >>>>> From: [EMAIL PROTECTED] >>>>> [mailto:[EMAIL PROTECTED] On Behalf Of Roger >>>>> Seielstad >>>>> Sent: Friday, May 21, 2004 11:54 AM >>>>> To: [EMAIL PROTECTED] >>>>> Subject: RE: [ActiveDir] Domain Controller Security... >>>>> >>>>> I like Joe Richard's option - DCPromo it out, let the tech >>>> work on it, >>>>> and DCPromo it back in >>>>> >>>>> >>>>> -------------------------------------------------------------- >>>>> Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator >>>>> Inovis Inc. >>>>> >>>>> >>>>>> -----Original Message----- >>>>>> From: Chris Lynch [mailto:[EMAIL PROTECTED] >>>>>> Sent: Friday, May 21, 2004 11:27 AM >>>>>> To: [EMAIL PROTECTED] >>>>>> Subject: [ActiveDir] Domain Controller Security... >>>>>> >>>>>> >>>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>>> Hash: SHA1 >>>>>> >>>>>> I'm wondering if anyone has accomplished the following: >>>>>> >>>>>> Provided different security policies to multiple DC's >>>>> within the same >>>>>> domain, but different OU's for field techs to manage >>>>> resources on just >>>>>> that DC without giving Server Operators rights. >>>>>> >>>>>> I have almost all of the requirements resolved, except the >>>>> ability to >>>>>> create shares. I have modified the security on the >>>>>> HKLM\System\CurrentControlSet\Services\LanManserver and >>>>>> HKLM\System\ControlSet001\Services\LanManserver with no success. >>>>>> Every document I have read about where the shares >>> definitions are >>>>>> stored are located in these two reg keys. >>>>>> >>>>>> I know the simple way would be to deploy another server to >>>>>> that location and give them local Administrator rights. But, >>>> management >>>>>> doesn't want to do this. >>>>>> >>>>>> Thanks for any input, >>>>>> >>>>>> Chris Lynch >>>>>> >>>>>> -----BEGIN PGP SIGNATURE----- >>>>>> Version: PGP 8.0.3 >>>>>> Comment: Public PGP Key for Chris Lynch >>>>>> >>>>>> iQA/AwUBQK4f0m9fg+xq5T3MEQKvyACfR40Wo0raZykKESlI9BlWQnO9CREAoI >>>>>> r4 >>>>>> BT+9sM9+/PU1ca4fioHgTuMm >>>>>> =k33B >>>>>> -----END PGP SIGNATURE----- >>>>>> >>>>>> List info : http://www.activedir.org/mail_list.htm >>>>>> List FAQ : http://www.activedir.org/list_faq.htm >>>>>> List archive: >>>>>> http://www.mail-archive.com/activedir%40mail.activedir.org/ >>>>>> >>>>> List info : http://www.activedir.org/mail_list.htm >>>>> List FAQ : http://www.activedir.org/list_faq.htm >>>>> List archive: >>>>> http://www.mail-archive.com/activedir%40mail.activedir.org/ >>>>> >>>>> List info : http://www.activedir.org/mail_list.htm >>>>> List FAQ : http://www.activedir.org/list_faq.htm >>>>> List archive: >>>>> http://www.mail-archive.com/activedir%40mail.activedir.org/ >>>>> >>>> List info : http://www.activedir.org/mail_list.htm >>>> List FAQ : http://www.activedir.org/list_faq.htm >>>> List archive: >>>> http://www.mail-archive.com/activedir%40mail.activedir.org/ >>> >>> -----BEGIN PGP SIGNATURE----- >>> Version: PGP 8.0.3 >>> Comment: Public PGP Key for Chris Lynch >>> >>> iQA/AwUBQK5wem9fg+xq5T3MEQIcQgCbBHD/3P2lldjPMQYIuYX+bQbcy/gAn0JN >>> HwFDAdmSI6kCuPCiwfkBn9ST >>> =T64Z >>> -----END PGP SIGNATURE----- >>> >>> >>> List info : http://www.activedir.org/mail_list.htm >>> List FAQ : http://www.activedir.org/list_faq.htm >>> List archive: >>> http://www.mail-archive.com/activedir%40mail.activedir.org/ >>> >> List info : http://www.activedir.org/mail_list.htm >> List FAQ : http://www.activedir.org/list_faq.htm >> List archive: >> http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Sent using the Microsoft Entourage 2004 for Mac Test Drive. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
