>> And, Rick, thanks a bunch for your late-night assistance. I owe you one.
>And I don't even want to know what this is about... Now this is one heck of a dirty mind.. ;-) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, March 21, 2005 9:36 PM To: [email protected] Subject: RE: [ActiveDir] Have fun at DEC I not only had fun at DEC, I learnt so many things. Aside from being around the usual suspects (Hi, Dean! Hi, Joe! Hi, Rick!), I got to meet Jorge, Hunter, Alain and a host of other people. Then I came away with 2 of the most eye-opening lessons to-date in my professional life: You can't cram a "security" discussion into a 75-minute presentation :) There is an inverse relationship between the number of admins and the security of your network - the higher the number of admins, the lower the security. Gil and the rest of the DEC crews are some of the most gracious hosts I have ever had the pleasure of being associated with - and I am grateful for the opportunity. And, Rick, thanks a bunch for your late-night assistance. I owe you one. Sincerely, D�j� Ak�m�l�f�, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of joe Sent: Mon 3/21/2005 5:42 PM To: [email protected] Subject: RE: [ActiveDir] Have fun at DEC Hey now, Dean and I actually weren't on the admin teams. We were wandering consultants. We initially had been under the understanding that it was a hacking session and we are under constraints about showing off tricks like that so we excused ourselves from the competition. Gil asked us just to walk around and check out what was going on. Once we realized it was a break-fix with users trying to take advantage of a poorly configured system Dean jumped in a little more but still didn't get to do what he wanted. Had we been on the admin team, the first thing we would have done is make it so no one could connect remotely to the DCs and secured them, then opened them up. That would have made the whole experiment go about 6 or so minutes with reboots as I saw no fancy hacking going on. You probably heard us up there saying, cut the users off at the knees, drop the services so you can secure. Secure environment #1, users getting access to resources #2. It was funny because as soon as Stuart (Kwan of the Ottawa Kwan Clan) walked up the first thing he was saying was screw the users, lock down as well. Dean spent most of his time pointing out how to fix broken things like DNS and replication and such as well as saying disable all of the users. I spent the time getting beers, explaining what tools were on the CD (did poorly at that as I didn't recognize many of them), correcting command line commands, and saying drop the network!!! The lab environment was set up pretty poorly as the VMs that were hosting the DCs were configured to auto-rollback changes so every time the systems rebooted, everything the admin team had done was rolled back. Also the person who set up the hosts neglected to set a password on the host so people could attack the host directly which I understand was outside the scope of the test. Dean had the perfect solution right up front... Dump users, groups, OU structures to LDIF files, demote the forest, repromote the forest, reimport the users/groups/structures. That would have cleared up nearly all of the screwups and wouldn't have left any openings for the users errr hackers unless they could get on the physical box which they couldn't do. It was extremely interesting though to see the various viewpoints. There was a rather stark line between many of the people where it was get the services running versus lock the environment down. I have no problem telling a user to go screw off if there is a security issue. Between fixing security and making users run I will almost always go to the side of security because if you don't have security, you can't guarantee the quality of the information in your system which is a poor place to be for an authentication system. Plus if it is insecure, you can't even guarantee the services very well. ;oP I wouldn't say anyone actually won the competition. That last part about the schema being messed up was Dean having fun. He pulled one of his tricks but didn't really let anyone see how he did it. It was just to show that yes, there are ways you can really hurt yourself bad or be hurt bad. Nothing in that test was anywhere near that level of danger. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Monday, March 21, 2005 7:45 PM To: [email protected] Subject: RE: [ActiveDir] Have fun at DEC Fun at DEC? Yeahh it was fun. It was also great to meat Gil, Guido, Dean, Joe, Rick and Deji in person. No chicken as I hoped for, but a t-shirt (that not even said "I went to DEC to get a rubber chicken but all I got was this lousy t-shirt") and we also got a bag. Gil was walking around with his bag that had a rope attached to it and the rubber chicken was hanging at the end of the rope. We all heart the rubber chicken "cry" (hee.. I would cry if I had a rope around my neck! ;-)) ) on monday during the "AD all night" session. By the way.. that session was also fun. It all started with 4 environments and each environment contained 1 forest and 1 domain with 2 DCs some wireless network stuff, an ADMINS team and a USERS team. In each environment security (whatever you could think of!!!) was really screwed! The admins (a complete team of people incl. Dean, Joe, Rick and Deji) had about 15 min. to correct all security screw-ups they could. After that the users came in and started working on the network using laptops with all kinds of hacking tools. We were supposed to wait 15 min. but we (I) didn't (hey a hacker doesn't wait until your network is safe and all security vulnerabilities are solved by you! So we didn't either). While the admins were searching and solving al vulnerabilities I already created two user accounts anonymously and added those to the adminstrators and domain admins groups. After we created the accounts we thought we should wait a bit so the admins had the chance to to some work. We also hoped they didn't find the accounts.... Crap that didn't work as we afterwards wan't to delete all kinds of things in AD to screw it up as bad as possible. The caveat was that if some admin found us screweing around and he could prove we did the damage the user got fired. If a user screwed up something and an admin did not prevent it the admin got fired. I still don't who did it, but after a while both DCs started rebooting and rebooting. The admins shut down the wireless network appliances so they couldn't be attacked. We as users started complaining about that we could do our work and that the SLA sucked..... ;-)) The DCs were not physically secured (hey that's also important!) and one of the users pulled the power plug of the DCs and those went down... The user was caught on the act and got fired. The admin that was responsible got demoted.... From admin to user! Hahaha. That wasn't also bad because that admin also knew all the passwords. As soon as we knew the password of the administrator account we tried again to screw it up. After a while everything was closed down to maximum security (at least I think it was as we were not able to do anything). Better yet the admins could do much either because the DC was so screwed it didn't even know it had a schema (or something like that). ;-)) Again: great session! Hope to attend again next year Cheers Jorge -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 18, 2005 09:15 To: [email protected] Subject: RE: [ActiveDir] Have fun at DEC At least I heard the chicken this year, I never had heard it. I was pretty well toasted at the time and thought a goose was running around the conference room. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert Sent: Saturday, March 12, 2005 11:20 AM To: [email protected] Subject: RE: [ActiveDir] Have fun at DEC I believe I am the proud owner of the last DEC chicken. Gil gave it to me at DEC in Ontario. Sure wish I could have made it to DEC this year. Dan > -------- Original Message -------- > Subject: RE: [ActiveDir] Have fun at DEC > From: "joe" <[EMAIL PROTECTED]> > Date: Fri, March 11, 2005 5:16 pm > To: [email protected] > > Unfortunately Gil doesn't do that anymore. He did the last chicken I > think 2 years back I think. I know for sure he didn't do one last year. > > He needs T-Shirts that say... > > I went to DEC to get a rubber chicken but all I got was this lousy t-shirt. > > > joe > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf > Sent: Friday, March 11, 2005 6:51 PM > To: [email protected] > Subject: [ActiveDir] Have fun at DEC > > For all you folks who are going to DEC, have a great time and good > luck getting the rubber chicken. > > Phil (re-subscribed with new address) > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
