Absolutely concur. In fact, one of my recommendations to Microsoft for the RODCs that get admin delegation is to disallow domain admin interactive logons to them once the administrator delegation is enabled. Anyone who allows non-DAs onto a DC and then still logs on with their DA ID is asking to be burned at some point. Even if MSFT does that, there is still a possible chance the simple attempt at logging on will give the "bad guy" all the info they need to become Enterprise gods which is the whole point of protecting against with RODCs. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
_____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott Sent: Tuesday, May 16, 2006 8:57 AM To: [email protected] Subject: RE: [ActiveDir] OT: Overriding local computer logon scripts - anyway to do it? "what is stopping some server admins to put in some logon scripts that adds a certain account as enterprise admin (boobietrap)." The same thing that prevents them from installing a keylogger or modifying any code on the system to do their nefarious deeds when a high level account runs them - absolutely nothing. Login scripts are just one of many possible attack vectors. The point is, if you don't trust the code on a box or the admins that can put code on a box, then you should NEVER use your high-level accounts for accessing that box. _____ From: [EMAIL PROTECTED] on behalf of Freddy HARTONO Sent: Tue 5/16/2006 3:42 AM To: [email protected] Subject: [ActiveDir] OT: Overriding local computer logon scripts - anyway to do it? Hi all, I had just logged in one of a printserver in my remote site, out of my usual scope - but the point is that the server has some logon scripts (local) associated with it. Just concerned about the security aspect of it - what is stopping some server admins to put in some logon scripts that adds a certain account as enterprise admin (boobietrap). I know the usual rule was to not login to untrusted boxes... but is there a way to overcome such? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785
<<attachment: winmail.dat>>
