RE: [ActiveDir] Domain Controller Security

[joe]

I would first recommend that the DAs manage the shares. Most likely you will need a project type share and home drive share. So you set up shares called Proj and U which map directly to the appropriate folders in the OS of PROJ and U which are on a disk that has nothing to do with the OS or AD.   You grant everyone FC on those shares[1]. Then the filesystem gets FC for the local admin at the root of those two folders. He/She then adds new folders as necessary and grants the required rights to those folders. No need for ability to manipulate shares nor log onto the server locally.   The caching only DC is called the RO-DC: Read-Only DC. At this point in time I would say it should be no different. No one can answer for sure until we see the actual implementation and people outside of MS start figuring out the holes that exist. Anyone who thinks that having an RO-DC (or the other chatter about "separation" between admin and DA) means your issues with administrator/DA separation are really solved are probably going to be quite surprised to find that to not be the case. I would be extremely happy if this is corrected, but I really don't expect anything near it. In fact, I do not foresee anytime in the near future a time when you can allow non-trusted people to have local access to your DCs. The security model is just such that you can't guarantee anything.   ADAM is a step closer to this lockdown, but ADAM is much more secure by default than AD due to better default SDs and lack of a bunch of the "junk" that has been bolted onto AD. Many of the same tricks won't work to compromise it. In fact, the only way I can think of off the top of my head for a local admin to do anything other than blow away a properly secured ADAM instance they don't have access to is to do a raw DIT edit. I could be wrong as I haven't done a real intensive sit down and think about it exercise, but I expect I am right.        joe       [1] I hate, literally hate, setting up different perms on the share and the file system. Most admins can't figure out what is screwed up when something gets screwed up when that is in place.   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, September 22, 2005 3:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Controller Security Most of the answers to Fred’s business need deal with the security issue of the domain: valid, certainly, but if the contractor really has a need to access files & shares, how would he do it?  Seems this DC is the sole site server and acting as a file server in addition to it’s DC duties.   Short of buying another server, an idea I read about on this list was to install vm software and run the file services as a virtual server.  Anybody tried that?   And in the 3k R2 world, if that DC were a “caching-only” DC, does that change the situation?   AL Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com ----------------------------------------------  "Cry 'Havoc!' and let slip the dogs of war"  - Anthony, in Julius Caesar III i.  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: Thursday, September 22, 2005 12:43 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Domain Controller Security   When Windows 2000 first came out the domain was thought of as the security boundary and Microsoft even stated that in documentation, books and certifications. Through the course of using AD there were a few things that came to light as some talented and curious folks started noticing things and that has led to the security boundary stance being revised. The original statement was a mistake and I believe Microsoft has recognized and admitted that. Any up to date documentation will reflect that notion of the forest being the security boundary.   I don't think anyone is going to get into how privilege escalation can be done, I know I certainly won't get into it other than to make people aware that it is possible.   Phil   On 9/22/05, DeStefano, Dan <[EMAIL PROTECTED]> wrote: I thought that in ad domains are considered security boundaries. In the cert exams, namely the 70-219, they are considered as such. Also, how would a domain admin of a child domain elevate his privileges?     Dan   From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Phil Renouf Sent: Thursday, September 22, 2005 1:28 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Domain Controller Security   Even as a domain admin of a Child domain they will still be able to munge your forest or elevate their priviledges. The security boundary in AD is at the forest, not the domain.   Phil   On 9/22/05, Gideon Ashcraft < [EMAIL PROTECTED]> wrote: The only thing to do is to make him an admin of that site, or better yet make that site a child domain and make him a domain admin of that child domain. I know from experience that using a DC as anything but a DC is a freakin pain in the ass, my predecessor set a DC up as a print/file server and another as a SQL server (finally able to demote that one now, soon hopefully). But my citrix profiles are on the domain controller, and after months of trying to set delegation up properly in AD and setting up permissions in the appropriate folders on the DC, the only way I was able to get my Helpdesk admin set up to create accounts with my scripts so that I didn't have to do it was to make him a domain admin. My company is too damn cheap to get me another server to put the citrix profiles somewhere else. Oh yeah, and its an app server for network install of office (can you feel my pain).   So, if there is only one server in the site and its a DC, the only way to get him to do anything is to make him a domain admin (make it a child domain so he can't climb up the tree)   Gideon Ashcraft Network Admin Screen Actors Guild ct: RE: [ActiveDir] Domain Controller Security Look through the archives.   The short answer is... "Just don't do it". You can't possibly secure this regardless of what anyone says. If someone says it can be made safe, stop asking them technical questions about Domain Controllers and Active Directory.   Either you trust the person or you don't. If you don't trust the person, then don't put the person in a position to show you the meaning of screwed.     From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of van Donk, Fred Sent: Tuesday, September 20, 2005 4:52 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain Controller Security   I have a contractor in a remote site. There is only 1 server in that site which is a DC.   He needs to administer that server. -Create shares -Make file/share permissions -Change user passwords in the User OU for that site.   He is not allowed to log on to any other server is the domain.   When I make him a "Server Operator" he can logon to any server in the domain.   Any idea on how to lock him down to that one server and then how to lock him down on that one OU where he should only be allowed to change the passwords of the users.   Thanks! Fred     List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/   NOTICE: The information contained in this transmission is privileged, confidential, and intended only for the use of the individual or entity named above. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or the taking of any action in reliance on the contents of this transmission is strictly prohibited. If you have received this transmission in error, please notify Eze Castle Integration, Inc. by e-mail and destroy the original message and all copies. Thank you.