___________________________
Neil Ruston
Global Technical Infrastructure
Nomura International plc
Telephone: +44 (0) 20 7521 3481
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Kamlesh Parmar
Sent: 23 September 2005 12:12
To: [email protected]
Subject: Re: [ActiveDir] Domain Controller SecurityAs I mentioned It's not possible for me to not allow local site guys to login locally to DC, at least for a small period, till we automate most of the system maintenance like sysstate backup and AV updates check etc.. And I am not saying that we don't trust them, They have physical access to DC, so if they want to, they can become the enterprise admin through hacks available on net. (which we counter by extensive physical security).
What surprised me, is possibility of remote compromise using normal user local login, which can be extended through terminal services.I have extensive auditing enabled. And I am daily monitoring the group membership changes for enterprise admins, schema admins, domain admins, server operators, backup operators, etc.as far as I know, that would be the first thing, unauthorised access will try to do, i.e. elevate their rights within system.Is this sufficient? is there any other attack symptom, I should be monitoring DAILY?I have already raised the concern with our ADS migration PM, and to get more info from our TAM.But, if I just ask him, what is the possibility of AD compromise in case of normal user local login onto DC? I guess TAM is likely to play down the threat.I understand, experts' concern for not even talking about it in forum, in interests of community,as we don't know the intent of every subscriber.but I do feel, "this is a big issue, easily exploitable with little workaround to thwart it."You know, guys this has increased the priority for me to automate the maintenance stuff on urgency and remove the rights for local login on DCs. It will be hard for me to explain to them, why I am doing it, as I have very little facts. :(On 9/23/05, ASB <[EMAIL PROTECTED]> wrote:>>And knowing it, I can always take extra precautions.The knowing it consists of "don't do it, because you can't secure it"There are no extra precautions to take. Certainly, you can increase your auditing, but you could do that now without knowing anything else.>>basically, 25% more prepared and secure against this type of attack is better than 0%.The more people that know, the higher the potential of attack. And, as folks have pointed out, since there are no viable workarounds, it doesn't help anyone to have the number of potential attackers increased.
Call your TAM and see if he or she will provide enough details for you to feel comfortable.-ASBFAST, CHEAP, SECURE: Pick Any TWO
On 9/23/05, Kamlesh Parmar <[EMAIL PROTECTED] > wrote:I have to disagree a bit here...Certainly, obscuring of information is not the way to feel secure.If I don't know, how it is done, then how do I know, that I will be able to detect it, and trace it.
And knowing it, I can always take extra precautions. Which I think, better than not knowing it at all.basically, 25% more prepared and secure against this type of attack is better than 0%. and certainly it helps calibrate how much paranoid I have to be. :-)
I would like to know, how it is done, as our team is currently migrating some good number of domains to single domain. And we are going to give local guys rights to logon to DC for some system maintenance purposes, till final single domain is cleaned up and we revert back to core team for day-to-day maintenance.So I am very much interested in knowing it.On 9/23/05, joe <[EMAIL PROTECTED]> wrote:The docs are wrong. Many of us have been hounding MS on this for years. They really started straightening out docs with K3. Some of the older 2K docs still suggest this security boundary at the domain. It really came to a head when Lucent put out a paper on this and it started getting quoted in the newsgroups and some of us just flamed the crap out of it.No one here or anywhere should really publish how to exploit rights on a DC to take over a forest. The answer is pretty self-evident if someone understands the underpinnings and processes used in AD and since we can't fully protect against it, it is better left undocumented. If there was a guaranteed safe way to protect ourselves, then we could publish that workaround and some time later publish the issue.joe
From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of DeStefano, Dan
Sent: Thursday, September 22, 2005 2:09 PM
To: [email protected]
Subject: RE: [ActiveDir] Domain Controller Security
I thought that in ad domains are considered security boundaries. In the cert exams, namely the 70-219, they are considered as such. Also, how would a domain admin of a child domain elevate his privileges?
Dan
From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Phil Renouf
Sent: Thursday, September 22, 2005 1:28 PM
To: [email protected]
Subject: Re: [ActiveDir] Domain Controller Security
Even as a domain admin of a Child domain they will still be able to munge your forest or elevate their priviledges. The security boundary in AD is at the forest, not the domain.
Phil
On 9/22/05, Gideon Ashcraft < [EMAIL PROTECTED]> wrote:
The only thing to do is to make him an admin of that site, or better yet make that site a child domain and make him a domain admin of that child domain. I know from experience that using a DC as anything but a DC is a freakin pain in the ass, my predecessor set a DC up as a print/file server and another as a SQL server (finally able to demote that one now, soon hopefully). But my citrix profiles are on the domain controller, and after months of trying to set delegation up properly in AD and setting up permissions in the appropriate folders on the DC, the only way I was able to get my Helpdesk admin set up to create accounts with my scripts so that I didn't have to do it was to make him a domain admin. My company is too damn cheap to get me another server to put the citrix profiles somewhere else. Oh yeah, and its an app server for network install of office (can you feel my pain).
So, if there is only one server in the site and its a DC, the only way to get him to do anything is to make him a domain admin (make it a child domain so he can't climb up the tree)
Gideon Ashcraft
Network Admin
Screen Actors Guild
ct: RE: [ActiveDir] Domain Controller SecurityLook through the archives.
The short answer is... "Just don't do it". You can't possibly secure this regardless of what anyone says. If someone says it can be made safe, stop asking them technical questions about Domain Controllers and Active Directory.
Either you trust the person or you don't. If you don't trust the person, then don't put the person in a position to show you the meaning of screwed.
From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of van Donk, Fred
Sent: Tuesday, September 20, 2005 4:52 PM
To: [email protected]
Subject: [ActiveDir] Domain Controller Security
I have a contractor in a remote site. There is only 1 server in that site which is a DC.
He needs to administer that server.
-Create shares
-Make file/share permissions
-Change user passwords in the User OU for that site.
He is not allowed to log on to any other server is the domain.
When I make him a "Server Operator" he can logon to any server in the domain.
Any idea on how to lock him down to that one server and then how to lock him down on that one OU where he should only be allowed to change the passwords of the users.
Thanks!
Fred
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Fortune and Love befriend the bold"
~~~~~~~~~~~~~~~~~~~~~~~~~~~
