The issue is caused with the remote session option . When used it allows a remote session on the server as local system! I have full admin rights over the IBM director implementation. Which includes servers from the parent domain. Need I say more?
M@
On 02/04/06, Matheesha Weerasinghe <[EMAIL PROTECTED]> wrote:
Guess what. Not yet! But its out of my hands and the security team will decide how to pursue this.
M@
> From: [EMAIL PROTECTED]
> To: [email protected]> Subject: RE: [ActiveDir] Monitoring DC's
> Date: Sun, 2 Apr 2006 14:54:23 -0400
>
> Yes that should be scary. Did you guys change anything as a result?
>
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto: [EMAIL PROTECTED]] On Behalf Of matheesha
> weerasinghe
> Sent: Monday, March 13, 2006 5:31 AM
> To: [email protected]
> Subject: Re: [ActiveDir] Monitoring DC's
>
> No kidding. Here at my work place we once needed access to the enterprise
> admin password but the safe was not accessible as the building was damaged
> and not safe to enter. The chap remotely connected to the network and used
> IBM Director to reset the password of the root administrator account! I
> didnt know such a feature existed (I think the agent runs as local system),
> and he was only a domain admin of the child domain but hey that was scary!
>
> M@
>
> On 10/03/06, joe < [EMAIL PROTECTED]> wrote:
> > The moment you put the Tivoli agent (or MOM or SMS or AV or whatever)
> > on a single DC, whomever admins the foreign application is now
> > effectively a domain/enterprise admin as well. Any attack vectors into
> > their monitoring servers, etc are now all vectors into the core of
> > your security for the Enterprise. Basically you could have the
> > greatest security practices in the world (barring this one) for your
> > DCs and then some bonehead move over on the monitoring platform
> > (because it isn't quite as critical to be secure, it is ONLY watching...)
> and bam you can be utterly compromised.
> >
> > joe
> >
> >
> > --
> > O'Reilly Active Directory Third Edition -
> > http://www.joeware.net/win/ad3e.htm
> >
> >
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Express yourself instantly with MSN Messenger! MSN Messenger
