I for one, would love to see AD related security taken a lot more seriously. Restricting the Domain Admins group members, applying more granular security throughout the environment so that if I need to create computer objects in the "User workstations" OU, then I can create them there and only there. If I can only change the user's homedrive location, then that's all I get the rights to do. It's only a lot of work when you first implement it and after it's done, then your overhead is mostly done and the minor cost of maintaining it is relatively low. Unfortunately it's difficult to get the momentum going to implement this level of security.
As for security models, whether RBS or ABS... problems are abound. RBS is easy to audit, but grants rights that aren't necessarily required. ABS bloats quickly and ends up with someone having membership in many groups that haven't been needed for the past 18 months (or longer) because the group administrator added the user for a one-time reason and never removed them and on the last 18 once per month (or quarter or whatever) security audits, they verified that the user still needs those group memberships, out of sync with reality.
Which is better? I think both can be ugly on their face when taken alone. Using a combination of the two is hopefully better (when people aren't getting added into both), but with the volume of data in many environments, it gets more and more difficult to control that data with any reasonable level of confidence, no matter what you do with your security model.
On 8/1/06, joe <[EMAIL PROTECTED]> wrote:
Interesting thoughts there...
My only tongue in cheek response right off (though this will bubble in my
head for some time) is that most predators are brighter than many people
doing admin work and we still need them to be able to find the systems...
;o)
Raise your hand if in the last year you saw a postit with a password on it?
Keep your hand up if you did anything about it like ripping it up and
talking to the person? If your hand went down, was it yours by any chance?
How many people now see a security problem and shake their head and say, wow
that isn't good but there isn't anything I can do about it and then continue
on your day. That is the kind of stuff that really needs to stop.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Tuesday, August 01, 2006 3:28 PM
To: [email protected]
Subject: Re: [ActiveDir] 80/20 ..... Was: Read-Only Domain Controller and
Server Core
On a totally serious note to Joe's tongue in cheek posting.... Go to a
zoo(1).. and you'll hear stories of how each animal has natural
'protection' from their predators.
Each animal has evolved to ensure they have some level of camouflage in
the way of color/features etc so that when their predator targets them
they attempt to blend into the background. Some plants and animals
depend on other plants and animals to survive. There's a unique falcon
that will only nest in leftover "Weaver bird" nests.. they don't build
their own..but by moving into a Weaver bird area, they act as "bouncers"
at the door and keep out the predators that prey on the Weaver birds.
Given that "here's what nature does to protect itself".... what (if
anything) has the computing industry done to "camouflage" to reduce risk?
(call me wacko) but it seems to me that we do a lot of "football"ish
type of security models.. offensive moves and defensive moves. (Isn't
RODC a defensive move?) Do we and can we add lessons from nature into
future networks?
(1) Lessons learned from camping in a zoo...yes.. this high maintenance
female stayed in a tent in a zoo... if you are going to be without power
and electricity.... camping in a zoo at the San Diego Zoo's Wild Animal
Park's Roar and Snore is the way to do it.....
Matt Hargraves wrote:
> Joe's blog doesn't seem to say anything about what DSI actually *is*.
> I'm not seeing it as a security model beyond my impression of it being
> "Don't tell anyone what your security infrastructure looks like" or
> something like that.
>
> On 8/1/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]*
> <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote:
>
> Isn't DSI being discussed in great detail at Blackhat starting
> tomorrow.. or am I mistaken and just thinking about the blog post
> again?
> http://blog.joeware.net/2006/07/11/445/
> < http://blog.joeware.net/2006/07/11/445/>
>
>
> Brett Shirley wrote:
> > I've always followed a DSI[1] access model, it definately
> supercedes in
> > every way what RBS[resource], RBS[role], ABS, CBS, NBC, ABC can
> provide
> > ...
> >
> > [1] DSI = Defending Security Infrastructures
> >
> > -B
> >
> >
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
