joe wrote:
Ah I ran into your posts in the newsgroups. I responded some there.
To further some of the info given previously, it is possible that some sort
of LSASS injection is being used in one or more products, however, that
doesn't mean this is a supported mechanism. Doing so *could* put your DCs or
worse, your customers' DCs in a state that MS will not support which is the
last thing you want to hear when your directory is sitting on the floor due
to corruption or some other issue that you can not correct yourself or
possibly even worse, performing in an inconsistent manner for performance or
functionality. The fact that it is forcefully slamming code into a system
owned process that isn't supposed to be modified by user mode apps and
executing that code say like a virus/worm/trojan/rootkit or any number of
things we consider bad would tend to give it challenging start towards
support, IMO. Possibly someone from NetPro, Quest, or Microsoft could
comment further if they understand and are able to speak about the
mechanisms and their supported state.
As mentioned in the newsgroups, when I last chatted with the NetPro folks
over a year ago about how they were grabbing some info they mentioned Event
Tracing, I believe you have some info on it but are not impressed by the
volume of info available. Again, as I mentioned in the newsgroups, it isn't
a popular interface in terms of people asking about it and those who have
figured it out, most likely did so to make money and aren't really going to
just spill all the details because someone wants to duplicate their
capability.
Sorry about the delay in replying... my laptop's harddrive died and then the
next day my house got struck by lightning and a bunch of equipment got fried
via the CAT5 wiring and the coax cable coming in from the satellite dish.
It seems that a direct strike to the DirecTV dish resulted in a nice surge
going through the coax to a wall plate that is shared with a telephone line
and a CAT5 jack. The surge then arc'd over into the CAT5 line in the wall
and proceeded to fry my 10/100 switch as well as damaging several pieces of
equipment attached to the switch. As all of this happened, the A/C power
didn't even vary enough to cause a flicker in the lights and not one of my
UPS units so much as chirped even once during the whole event.
Anyway, I'm continuing to research the event monitoring to see if there's
more details available to be found about how to use it and whether or not
there's any AD-related events that can be monitored. I'm actually not
interested in competing with audting tools in what I'm trying to do. This
is for some near real-time provisioning work and workflow management that
needs to be done based on changes to objects & their attributes in AD.
I understand the support issues associated with LSASS code injection and how
it is possible to take down a DC or even a whole tree as a result of a bug
in the code. Quest Software actually sends out their own technical staff to
do the installation of their audting & lock-down product "Change Manager for
Active Directory", so there's definitely some liability issues involved when
the software is improperly installed & configured.
--
Chuck Chopp
ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com
RTFM Consulting Services Inc. 864 801 2795 voice & voicemail
103 Autumn Hill Road 864 801 2774 fax
Greer, SC 29651
Do not send me unsolicited commercial email.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
