RE: [ActiveDir] AD, Logon times & Custom messages
The right tool for the right job. I do not think the place you are looking at is the right place for this job. May I suggest ISA server, or similar web filter programs. HTH Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Roger Seielstad Sent: Mon 7/7/2003 8:59 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] AD, Logon times & Custom messages The reject should be logged automatically, but I haven't checked for sure -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -Original Message- > From: Mr Clark [mailto:[EMAIL PROTECTED] > Sent: Monday, July 07, 2003 10:52 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] AD, Logon times & Custom messages > > > Well, I just wanted to customize the message for my kids when they try > to *sneak* on the computer during the middle of the night. :) > > As another thought, is there a way to "log" when someone tries to sign > on at a restricted time? > > Charlie > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Roger Seielstad > Sent: Monday, July 07, 2003 09:43 > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] AD, Logon times & Custom messages > > Best guess is that you cannot modify the message. > > As is pretty much standard for that type of message in Microsoft > products, > its coded into a DLL, and the only supportable way to do that would be > to > engage Microsoft Consulting Services to modify the DLL. > > However, since I believe that's part of the LSASS process on > the client, > and > that gets patched somewhat regularly by service packs, etc, you'd have > to > reenage them for every new service pack. IMO, its not worth it. > > What are you trying to accomplish? > > -- > Roger D. Seielstad - MTS MCSE MS-MVP > Sr. Systems Administrator > Inovis Inc. > > > > -Original Message- > > From: Mr Clark [mailto:[EMAIL PROTECTED] > > Sent: Monday, July 07, 2003 9:36 AM > > To: [EMAIL PROTECTED] > > Subject: [ActiveDir] AD, Logon times & Custom messages > > > > > > Greetings all. > > I'm new to the list and very new to AD. > > > > I have successfully set up my server for our LAN. DNS functions > > correctly (so far, no error messages), etc. > > > > The question I would like to start off with first is this: > > > > Under Active Directory, you can specify Logon times for a user. > > > > What I would like to know is this: > > Can you customize the message that comes up when a user > tries to logon > > during the prohibited time? > > > > I haven't seen this listed in the MSKB, and I didn't turn > up anything > > via google. > > > > > > TIA > > > > Charlie > > List info : http://www.activedir.org/mail_list.htm > > List FAQ: http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ <>
Re: [ActiveDir] Taking DC Offline
Title: Message Personally I dont see a problem with the audit / security guys attempting to crack high-level user ID's, as these are potentially the greatest threat to the security of the environment. That being said, if they DO crack the admin accounts, they then have a "back door" into the environment, and if nefarious types get their hands on the information, you are in a world of hurt. There is one issue regarding the strength of these passwords. ANY password can be cracked, given enough time and computing resources. Have they placed any boundaries on how long they will plug away at the security database before declaring that a password is deemed to be secure enough ? Glenn - Original Message - From: Joe To: [EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 7:54 AM Subject: RE: [ActiveDir] Taking DC Offline Heh, never heard that one before. Glad I could help out. One thing I would recommend doing is writing a perl script that goes through and parses the file before you have to hand it over and removed any ID's with authority > say account operator from the file. That way 1. The security folks don't crack high level ID's. 2. If the hash dump falls into someone else's hands it doesn't have admin (or acc op or serv op or etc) id's listed. The source is readily available, any c/c++ coder should be able to modify it to not even dump enhanced id's with a few extra calls though it would slow the program down a bit. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simpsen, Paul A. (HSC)Sent: Monday, July 07, 2003 4:09 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Taking DC Offline Hey Joe, ( sorry I couldnt resist, being the old Hendrix fan that I am J ) But anyhow this is the route that I have taken and everything worked like a champ. I wasnt familiar with pwdump but I am now. Once again thanks for the reply. -Original Message-From: Joe [mailto:[EMAIL PROTECTED] Sent: Friday, July 04, 2003 10:14 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Taking DC Offline How are they planning on doing those tests? If they just want to test the password complexity/strength it isn't required to give them a whole DC, only a hash dump of the password in the DIT which can be done via pwdump3. Then they can use lc3/4 to go through the text file hash dump. There is no faster way that I am aware of to test those things. In the meanwhile I think I would also remove any ADMIN ID's from that hash if the security folks aren't already admins. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simpsen, Paul A. (HSC)Sent: Thursday, July 03, 2003 5:32 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Taking DC Offline Our Security Director has requested that we build a temporary DC for his group. They want to take it offline and audit the current password complexity and strength. This DC will never return to the domain so I will have to manually remove the replication connections in the NTDS settings for each repl partner, plus the DNS records created. Im just wondering if Im missing something obvious and that this might not be such a good idea. Possibility of orphaned objects or something to that nature? It wont be online long but .. Paul Simpsen Windows Server Administrator Enterprise Systems, IT University of Oklahoma HSC 405.271.2262 ext 50230 Fax: 405.271.2126 CONFIDENTIALITY NOTICE: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please destroy all copies of this communication and any attachments.
RE: [ActiveDir] AD DOS vulnerability
Rick- Glad to help! One thing I've played around with on this is some low-tech methods for slowing down potential exploits of this. For example, I've used Services security in Group Policy to disable the Scheduler service on all DCs and then permissioned it so that only Enterprise Admins could start it up. I've also set up a loopback policy on all DCs that used Admin. Template settings to prevent anyone except Enterprise Admins from loading the ADSIEdit & Schema Manager MMC snap-ins on a DC. You could probably do even more with software restriction policy here. This by no means prevents the issue and the "extra crafty" admin can probably find ways around it, but it slows down the most obvious routes of exploitation, which is worth something :-) -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Monday, July 07, 2003 3:08 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD DOS vulnerability Darren, Thanks for providing the clarity. No intent to be 'stealthy' about the vulnerability, but - frankly, I couldn't think of the proper words at the moment. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Monday, July 07, 2003 1:37 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD DOS vulnerability I think this refers to the issue recently identified where a member of the Domain Admins group, with access to a domain controller within a domain in the forest, could, for example, start a process within the security context of LocalSystem (e.g. using the AT scheduler), and thus gain privileged access to the schema and configuration naming contexts that they weren't granted explicitly. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Monday, July 07, 2003 6:25 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] AD DOS vulnerability Could you expand on what the specific vulnerability is there? I've not heard that terminology before. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -Original Message- > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > Sent: Friday, July 04, 2003 5:42 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] AD DOS vulnerability > > > Joe, > > Unfortunately, one of the biggest issues with AD can't be addressed > with an upgrade, and that's the Security vulnerability from > cross-domain admins. > Looking to NetPro's monitoring tool to aid in this as a > 'burglar alarm'. > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Joe > Sent: Friday, July 04, 2003 10:21 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] AD DOS vulnerability > > Also note that there is another D.O.S. capable bug that SP4 fixes if I > recall correctly. It was something with referrals. > > Note that there are several things that can be done to W2K AD by a > bright programmer with internal access who has had a chance to sit > back and think > about it that can hurt AD. Some only require having an > account in AD, some > requiring a machine account. Won't give details here or > anywhere due to > social conscience and not willing to expose shit that could hurt me > personally but they are there... Move to W2K3 when you can as > that may help > based on some of the newer docs I have seen. > > I agree with what everyone else has said on SP4... Test test test, > then deploy. When you do have an issue, post back here or in the > newsgroups so > others can learn of the experience. Even if you call MS and > they say, nope, > no one is having that issue. I have found that they know of > things but won't > come fully forward with them until some minimum number of > customers/people > have complained. > > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd > (NIH/CIT) > Sent: Thursday, July 03, 2003 10:04 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] AD DOS vulnerability > > > Thanks Everyone for the great information. We have already begun > patching the systems as a result of the information from the list. > > Todd Myrick > > -Original Message- > From: Robert Moir [mailto:[EMAIL PROTECTED] > Sent: Thursday, July 03, 2003 8:53 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] AD DOS vulnerability > > > I'd certainly concur with the idea of using the hotfix before rushing > SP4 out of the door without the usual acceptance testing but it might > be worth remembering that someone who is posting from an educational > establishment is in an environment where
RE: [ActiveDir] SP4
Title: Message Lab testing at present is proceeding slowly, but no issues as of yet. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Don Murawski (Lenox)Sent: Monday, July 07, 2003 2:40 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] SP4 Anyone installed SP4 yet on their DC's? If so, have you had any issues? Don L. Murawski Sr. Network Administrator WorldTravel BTI Phone: (404) 923-9468 Fax: (404) 949-6710 Cell: (678) 549-1264 <>
RE: [ActiveDir] AD DOS vulnerability
Darren, Thanks for providing the clarity. No intent to be 'stealthy' about the vulnerability, but - frankly, I couldn't think of the proper words at the moment. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Monday, July 07, 2003 1:37 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD DOS vulnerability I think this refers to the issue recently identified where a member of the Domain Admins group, with access to a domain controller within a domain in the forest, could, for example, start a process within the security context of LocalSystem (e.g. using the AT scheduler), and thus gain privileged access to the schema and configuration naming contexts that they weren't granted explicitly. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Monday, July 07, 2003 6:25 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] AD DOS vulnerability Could you expand on what the specific vulnerability is there? I've not heard that terminology before. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -Original Message- > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > Sent: Friday, July 04, 2003 5:42 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] AD DOS vulnerability > > > Joe, > > Unfortunately, one of the biggest issues with AD can't be > addressed with an > upgrade, and that's the Security vulnerability from > cross-domain admins. > Looking to NetPro's monitoring tool to aid in this as a > 'burglar alarm'. > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Joe > Sent: Friday, July 04, 2003 10:21 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] AD DOS vulnerability > > Also note that there is another D.O.S. capable bug that SP4 fixes if I > recall correctly. It was something with referrals. > > Note that there are several things that can be done to W2K AD > by a bright > programmer with internal access who has had a chance to sit > back and think > about it that can hurt AD. Some only require having an > account in AD, some > requiring a machine account. Won't give details here or > anywhere due to > social conscience and not willing to expose shit that could hurt me > personally but they are there... Move to W2K3 when you can as > that may help > based on some of the newer docs I have seen. > > I agree with what everyone else has said on SP4... Test test > test, then > deploy. When you do have an issue, post back here or in the > newsgroups so > others can learn of the experience. Even if you call MS and > they say, nope, > no one is having that issue. I have found that they know of > things but won't > come fully forward with them until some minimum number of > customers/people > have complained. > > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd > (NIH/CIT) > Sent: Thursday, July 03, 2003 10:04 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] AD DOS vulnerability > > > Thanks Everyone for the great information. We have already > begun patching > the systems as a result of the information from the list. > > Todd Myrick > > -Original Message- > From: Robert Moir [mailto:[EMAIL PROTECTED] > Sent: Thursday, July 03, 2003 8:53 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] AD DOS vulnerability > > > I'd certainly concur with the idea of using the hotfix before rushing > SP4 out of the door without the usual acceptance testing but it might > be worth remembering that someone who is posting from an educational > establishment is in an environment where malicious attacks from within > the network are not just possible, or likely, but are simply > another day > at the office. > > > -Original Message- > > From: Tony Murray [mailto:[EMAIL PROTECTED] > > Sent: 03 July 2003 12:51 > > To: [EMAIL PROTECTED] > > Subject: Re: [ActiveDir] AD DOS vulnerability > > > > Given that this vulnerability can generally only be > exploited through > > malicious use from *within* the network (at least for most > > organisations), you may want to hold off on SP4. This will > depend on > > your assessment of the threat in your environment. SP4 was only > > released last week and it is usually prudent to wait to see if any > > major bugs appear before installing it. I'm sure you remember the > > problems introduced by Windows NT 4.0 SP6, which were then urgently > > fixed in SP6a? > > > > You could always install the hotfix first and hold off a > while on SP4. > > > > Mor
RE: [ActiveDir] Taking DC Offline
Title: Message Heh, never heard that one before. Glad I could help out. One thing I would recommend doing is writing a perl script that goes through and parses the file before you have to hand it over and removed any ID's with authority > say account operator from the file. That way 1. The security folks don't crack high level ID's. 2. If the hash dump falls into someone else's hands it doesn't have admin (or acc op or serv op or etc) id's listed. The source is readily available, any c/c++ coder should be able to modify it to not even dump enhanced id's with a few extra calls though it would slow the program down a bit. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simpsen, Paul A. (HSC)Sent: Monday, July 07, 2003 4:09 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Taking DC Offline Hey Joe, ( sorry I couldn’t resist, being the old Hendrix fan that I am J ) But anyhow… this is the route that I have taken and everything worked like a champ. I wasn’t familiar with pwdump but I am now. Once again thanks for the reply. -Original Message-From: Joe [mailto:[EMAIL PROTECTED] Sent: Friday, July 04, 2003 10:14 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Taking DC Offline How are they planning on doing those tests? If they just want to test the password complexity/strength it isn't required to give them a whole DC, only a hash dump of the password in the DIT which can be done via pwdump3. Then they can use lc3/4 to go through the text file hash dump. There is no faster way that I am aware of to test those things. In the meanwhile I think I would also remove any ADMIN ID's from that hash if the security folks aren't already admins. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simpsen, Paul A. (HSC)Sent: Thursday, July 03, 2003 5:32 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Taking DC Offline Our Security Director has requested that we build a temporary DC for his group. They want to take it offline and audit the current password complexity and strength. This DC will never return to the domain so I will have to manually remove the replication connections in the NTDS settings for each repl partner, plus the DNS records created. I’m just wondering if I’m missing something obvious and that this might not be such a good idea. Possibility of orphaned objects or something to that nature? It won’t be online long but….. Paul Simpsen Windows Server Administrator Enterprise Systems, IT University of Oklahoma HSC 405.271.2262 ext 50230 Fax: 405.271.2126 CONFIDENTIALITY NOTICE: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please destroy all copies of this communication and any attachments.
RE: [ActiveDir] Identity Management using AD
Title: Message A lot of new info on MIIS has been published since the announcements: www.microsoft.com/MIIS The RTM software will shortly be available for download from the MSDN Universal web site and on MSDN Universal CDs in September. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Monday, July 07, 2003 2:30 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Identity Management using AD MSFT internally uses SQL Server as the authoritative store for identity information, and populates AD from that. -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Thursday, July 03, 2003 7:00 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Identity Management using AD All, We are in the process of redefining our Internet-enabled applications with a view to a centralised customer/client database. There has been quite a bit of discussion regarding using AD as this "customer store", since AD will already be in this environment. I'm a bit hesitant to recommend "vanilla" AD for this task, however I can see a number of benefits to this approach, as the support monkeys can manage the entire environment using the same tools they use to manage the production environment (ADUC etc). I've been reading up on the information regarding MIIS (what little there is), and can see some potential for a configuration such as this, eg: - Use AD to store the "core" customer information (user name, password, basic details) - Use ADAM or SQL (or whatever) for each application to store application specific extensions (so I don't end up with a blown out schema in AD with thousands of additional props for user objects) - Use MIIS as the Authentication / Identity management front end, and use it to sync these disparate databases to ensure some semblance of "sameness" between them. - Also use some of the MIIS features such as provisioning etc to ease the management overhead. Applications could use AD to authenticate the customer coming in, and then use their ADAM database to house the application specific information they need. We could possibly then use MIIS to "backchannel" into the production AD system, so that corporate users can gain access to these Internet applications without requiring multiple accounts. This is all just brainstorming at the moment, however (as usual), I need to come up with some sort of design by next week (gotta love being given lots of time *grin*). Having not actually got my hands on MIIS, this could be completely unfeasible. Other options are a custom database for the "customer store", or some other existing product. Has anyone been down this road before, and could share some insights / resources ? Thanks Glenn
RE: [ActiveDir] AD, Logon times & Custom messages
FYI: It has been my experience that MCS is not really all that interested in doing things like this. (I was looking into getting the mailbox limit warning message changed). They told me to find someone else to do it. Jordan > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Roger Seielstad > Sent: Monday, July 07, 2003 09:43 > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] AD, Logon times & Custom messages > > Best guess is that you cannot modify the message. > > As is pretty much standard for that type of message in Microsoft > products, > its coded into a DLL, and the only supportable way to do that would be > to > engage Microsoft Consulting Services to modify the DLL. > List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Identity Management using AD
Title: Message MSFT internally uses SQL Server as the authoritative store for identity information, and populates AD from that. -Original Message-From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Thursday, July 03, 2003 7:00 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Identity Management using AD All, We are in the process of redefining our Internet-enabled applications with a view to a centralised customer/client database. There has been quite a bit of discussion regarding using AD as this "customer store", since AD will already be in this environment. I'm a bit hesitant to recommend "vanilla" AD for this task, however I can see a number of benefits to this approach, as the support monkeys can manage the entire environment using the same tools they use to manage the production environment (ADUC etc). I've been reading up on the information regarding MIIS (what little there is), and can see some potential for a configuration such as this, eg: - Use AD to store the "core" customer information (user name, password, basic details) - Use ADAM or SQL (or whatever) for each application to store application specific extensions (so I don't end up with a blown out schema in AD with thousands of additional props for user objects) - Use MIIS as the Authentication / Identity management front end, and use it to sync these disparate databases to ensure some semblance of "sameness" between them. - Also use some of the MIIS features such as provisioning etc to ease the management overhead. Applications could use AD to authenticate the customer coming in, and then use their ADAM database to house the application specific information they need. We could possibly then use MIIS to "backchannel" into the production AD system, so that corporate users can gain access to these Internet applications without requiring multiple accounts. This is all just brainstorming at the moment, however (as usual), I need to come up with some sort of design by next week (gotta love being given lots of time *grin*). Having not actually got my hands on MIIS, this could be completely unfeasible. Other options are a custom database for the "customer store", or some other existing product. Has anyone been down this road before, and could share some insights / resources ? Thanks Glenn
Re: [ActiveDir] SP4
Title: Message yes i have, no i have not. - Original Message - From: Don Murawski (Lenox) To: '[EMAIL PROTECTED]' Sent: Monday, July 07, 2003 12:40 PM Subject: [ActiveDir] SP4 Anyone installed SP4 yet on their DC's? If so, have you had any issues? Don L. Murawski Sr. Network Administrator WorldTravel BTI Phone: (404) 923-9468 Fax: (404) 949-6710 Cell: (678) 549-1264 <>
RE: [ActiveDir] Taking DC Offline
Title: Message Hey Joe, ( sorry I couldn’t resist, being the old Hendrix fan that I am J ) But anyhow… this is the route that I have taken and everything worked like a champ. I wasn’t familiar with pwdump but I am now. Once again thanks for the reply. -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Friday, July 04, 2003 10:14 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Taking DC Offline How are they planning on doing those tests? If they just want to test the password complexity/strength it isn't required to give them a whole DC, only a hash dump of the password in the DIT which can be done via pwdump3. Then they can use lc3/4 to go through the text file hash dump. There is no faster way that I am aware of to test those things. In the meanwhile I think I would also remove any ADMIN ID's from that hash if the security folks aren't already admins. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simpsen, Paul A. (HSC) Sent: Thursday, July 03, 2003 5:32 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Taking DC Offline Our Security Director has requested that we build a temporary DC for his group. They want to take it offline and audit the current password complexity and strength. This DC will never return to the domain so I will have to manually remove the replication connections in the NTDS settings for each repl partner, plus the DNS records created. I’m just wondering if I’m missing something obvious and that this might not be such a good idea. Possibility of orphaned objects or something to that nature? It won’t be online long but….. Paul Simpsen Windows Server Administrator Enterprise Systems, IT University of Oklahoma HSC 405.271.2262 ext 50230 Fax: 405.271.2126 CONFIDENTIALITY NOTICE: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please destroy all copies of this communication and any attachments.
RE: [ActiveDir] Taking DC Offline
Title: Message I agree 110%. But then there all sorts of bad security ideas out in the field because that is the only way people know how to do certain things. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Monday, July 07, 2003 9:24 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Taking DC Offline The security folks *shouldn't* be admins. Kinda defeats the purpose in a lot of ways. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc.
[ActiveDir] SP4
Title: Message Anyone installed SP4 yet on their DC's? If so, have you had any issues? Don L. Murawski Sr. Network Administrator WorldTravel BTI Phone: (404) 923-9468 Fax: (404) 949-6710 Cell: (678) 549-1264 <>
RE: [ActiveDir] Taking DC Offline
Title: Message Check out unlock at www.joeware.net. Its free, its fast. Will display locked accounts or unlock them. Saves you the scripting time... Plus it runs faster than any script I have seen. :o) As for those folks doing the testing, if it isn't security running those password check tools, it is hacking. Treat the admins accordingly. joe -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Monday, July 07, 2003 9:41 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Taking DC Offline In a way you should be happy they asked you, before just running a password guessing tool against the domain... Ofcourse that won't necessarily be destructive - unless you have configured Account Lockout for X nr. of logons, which I always consult my customers to do. But if your AD domain spans multiple countries/locations or simply a large population of users (which might previously have been separate NT domains) - you're suddenly very vulnerable afterall... I've seen auditors from one location run their magic tools unanounced to any admin against the AD domain spanning the United States - voila, just like an attack from a hacker, that domain was quickly seizing to work for any user with logins and eMail etc. failing all over the place (thankfully admin accounts were hidden in AD and thus not known to the tool used by the auditors) Wasn't hard to find the issue and yell at the folks - but try to quickly revert the status of many hundreds of locked out users... So now we're prepared for these situations via a scripting solution - I would suggest everyone to prepare something for their own environment as well. Nothing like being caught off guard. /Guido From: Simpsen, Paul A. (HSC) [mailto:[EMAIL PROTECTED] Sent: Montag, 7. Juli 2003 03:25To: [EMAIL PROTECTED] The whole purpose of this is all political. It has already been decided to enable password complexity but to help make the campus more agreeable ( we are an edu!) our Security director wants to shoot them some stats. The % of PW’s that they could crack, etc… Why this is good for you, you know the deal. I’m still hoping my boss will see the light and just say no! J Thanks for all the responses, there might be some other options. Paul -Original Message-From: Rick Kingslan [mailto:[EMAIL PROTECTED]] Sent: Friday, July 04, 2003 4:51 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Taking DC Offline Paul, I'm somewhat mystified by the request. I might be completely missing the point, but unless the scan is going to be destructive, what is the value of giving the Security Director a DC that has been taken off-line? I do agree with what others have said here to this point (remove connection objects, clean up the objects from the DIT via NTDSUTIL, etc.), but the value of the work that is being done is still questionable. The DC is no longer in your environment, which from the standpoint of testing the security or the password complexity, makes it no longer a viable environment to do such. And, if the process is going to be destructive, is this something that they will want to do on a quarterly basis (again with questionable value in the security realm)? Also, do your Security Analysts already have Administrative context access? If not, all passwords of this type should be nulled out. Even if they do - those that are not theirs should be erased as well. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simpsen, Paul A. (HSC)Sent: Thursday, July 03, 2003 4:32 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Taking DC Offline Our Security Director has requested that we build a temporary DC for his group. They want to take it offline and audit the current password complexity and strength. This DC will never return to the domain so I will have to manually remove the replication connections in the NTDS settings for each repl partner, plus the DNS records created. I’m just wondering if I’m missing something obvious and that this might not be such a good idea. Possibility of orphaned objects or something to that nature? It won’t be online long but….. Paul Simpsen Windows Server Administrator Enterprise Systems, IT University of Oklahoma HSC 405.271.2262 ext 50230 Fax: 405.271.2126 CONFIDENTIALITY NOTICE: This e-mail communication and any a
RE: [ActiveDir] AD DOS vulnerability
I think this refers to the issue recently identified where a member of the Domain Admins group, with access to a domain controller within a domain in the forest, could, for example, start a process within the security context of LocalSystem (e.g. using the AT scheduler), and thus gain privileged access to the schema and configuration naming contexts that they weren't granted explicitly. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Monday, July 07, 2003 6:25 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] AD DOS vulnerability Could you expand on what the specific vulnerability is there? I've not heard that terminology before. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -Original Message- > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > Sent: Friday, July 04, 2003 5:42 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] AD DOS vulnerability > > > Joe, > > Unfortunately, one of the biggest issues with AD can't be > addressed with an > upgrade, and that's the Security vulnerability from > cross-domain admins. > Looking to NetPro's monitoring tool to aid in this as a > 'burglar alarm'. > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Joe > Sent: Friday, July 04, 2003 10:21 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] AD DOS vulnerability > > Also note that there is another D.O.S. capable bug that SP4 fixes if I > recall correctly. It was something with referrals. > > Note that there are several things that can be done to W2K AD > by a bright > programmer with internal access who has had a chance to sit > back and think > about it that can hurt AD. Some only require having an > account in AD, some > requiring a machine account. Won't give details here or > anywhere due to > social conscience and not willing to expose shit that could hurt me > personally but they are there... Move to W2K3 when you can as > that may help > based on some of the newer docs I have seen. > > I agree with what everyone else has said on SP4... Test test > test, then > deploy. When you do have an issue, post back here or in the > newsgroups so > others can learn of the experience. Even if you call MS and > they say, nope, > no one is having that issue. I have found that they know of > things but won't > come fully forward with them until some minimum number of > customers/people > have complained. > > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd > (NIH/CIT) > Sent: Thursday, July 03, 2003 10:04 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] AD DOS vulnerability > > > Thanks Everyone for the great information. We have already > begun patching > the systems as a result of the information from the list. > > Todd Myrick > > -Original Message- > From: Robert Moir [mailto:[EMAIL PROTECTED] > Sent: Thursday, July 03, 2003 8:53 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] AD DOS vulnerability > > > I'd certainly concur with the idea of using the hotfix before rushing > SP4 out of the door without the usual acceptance testing but it might > be worth remembering that someone who is posting from an educational > establishment is in an environment where malicious attacks from within > the network are not just possible, or likely, but are simply > another day > at the office. > > > -Original Message- > > From: Tony Murray [mailto:[EMAIL PROTECTED] > > Sent: 03 July 2003 12:51 > > To: [EMAIL PROTECTED] > > Subject: Re: [ActiveDir] AD DOS vulnerability > > > > Given that this vulnerability can generally only be > exploited through > > malicious use from *within* the network (at least for most > > organisations), you may want to hold off on SP4. This will > depend on > > your assessment of the threat in your environment. SP4 was only > > released last week and it is usually prudent to wait to see if any > > major bugs appear before installing it. I'm sure you remember the > > problems introduced by Windows NT 4.0 SP6, which were then urgently > > fixed in SP6a? > > > > You could always install the hotfix first and hold off a > while on SP4. > > > > More info on this vulnerability here: > > > > http://www.coresecurity.com/common/showdoc.php?idx=351&idxseccion=10 > > > > Tony > > -- Original Message -- > > Wrom: NKMBIPBARHDMNNSKVFVWRKJVZCMHVIBGDADRZFSQHYUC > > Reply-To: [EMAIL PROTECTED] > > Date: Thu, 3 Jul 2003 11:10:44 +0100 > > > > I received notification about a vulnerability in AD this morning - > > details are at > > http://support.microsoft.com/default.aspx?kbid=319709 > > > > It looks like the recom
RE: [ActiveDir] AD, Logon times & Custom messages
The reject should be logged automatically, but I haven't checked for sure -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -Original Message- > From: Mr Clark [mailto:[EMAIL PROTECTED] > Sent: Monday, July 07, 2003 10:52 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] AD, Logon times & Custom messages > > > Well, I just wanted to customize the message for my kids when they try > to *sneak* on the computer during the middle of the night. :) > > As another thought, is there a way to "log" when someone tries to sign > on at a restricted time? > > Charlie > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Roger Seielstad > Sent: Monday, July 07, 2003 09:43 > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] AD, Logon times & Custom messages > > Best guess is that you cannot modify the message. > > As is pretty much standard for that type of message in Microsoft > products, > its coded into a DLL, and the only supportable way to do that would be > to > engage Microsoft Consulting Services to modify the DLL. > > However, since I believe that's part of the LSASS process on > the client, > and > that gets patched somewhat regularly by service packs, etc, you'd have > to > reenage them for every new service pack. IMO, its not worth it. > > What are you trying to accomplish? > > -- > Roger D. Seielstad - MTS MCSE MS-MVP > Sr. Systems Administrator > Inovis Inc. > > > > -Original Message- > > From: Mr Clark [mailto:[EMAIL PROTECTED] > > Sent: Monday, July 07, 2003 9:36 AM > > To: [EMAIL PROTECTED] > > Subject: [ActiveDir] AD, Logon times & Custom messages > > > > > > Greetings all. > > I'm new to the list and very new to AD. > > > > I have successfully set up my server for our LAN. DNS functions > > correctly (so far, no error messages), etc. > > > > The question I would like to start off with first is this: > > > > Under Active Directory, you can specify Logon times for a user. > > > > What I would like to know is this: > > Can you customize the message that comes up when a user > tries to logon > > during the prohibited time? > > > > I haven't seen this listed in the MSKB, and I didn't turn > up anything > > via google. > > > > > > TIA > > > > Charlie > > List info : http://www.activedir.org/mail_list.htm > > List FAQ: http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD, Logon times & Custom messages
Well, I just wanted to customize the message for my kids when they try to *sneak* on the computer during the middle of the night. :) As another thought, is there a way to "log" when someone tries to sign on at a restricted time? Charlie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Monday, July 07, 2003 09:43 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] AD, Logon times & Custom messages Best guess is that you cannot modify the message. As is pretty much standard for that type of message in Microsoft products, its coded into a DLL, and the only supportable way to do that would be to engage Microsoft Consulting Services to modify the DLL. However, since I believe that's part of the LSASS process on the client, and that gets patched somewhat regularly by service packs, etc, you'd have to reenage them for every new service pack. IMO, its not worth it. What are you trying to accomplish? -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -Original Message- > From: Mr Clark [mailto:[EMAIL PROTECTED] > Sent: Monday, July 07, 2003 9:36 AM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] AD, Logon times & Custom messages > > > Greetings all. > I'm new to the list and very new to AD. > > I have successfully set up my server for our LAN. DNS functions > correctly (so far, no error messages), etc. > > The question I would like to start off with first is this: > > Under Active Directory, you can specify Logon times for a user. > > What I would like to know is this: > Can you customize the message that comes up when a user tries to logon > during the prohibited time? > > I haven't seen this listed in the MSKB, and I didn't turn up anything > via google. > > > TIA > > Charlie > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Best Practices Guide for Securing AD Part 1 and 2 are on the Technet site.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn ol/ad/Windows2000/maintain/BPguide/Part1/ADSECP1.asp Lets start an interesting review of the content shall we... Todd List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD, Logon times & Custom messages
Best guess is that you cannot modify the message. As is pretty much standard for that type of message in Microsoft products, its coded into a DLL, and the only supportable way to do that would be to engage Microsoft Consulting Services to modify the DLL. However, since I believe that's part of the LSASS process on the client, and that gets patched somewhat regularly by service packs, etc, you'd have to reenage them for every new service pack. IMO, its not worth it. What are you trying to accomplish? -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -Original Message- > From: Mr Clark [mailto:[EMAIL PROTECTED] > Sent: Monday, July 07, 2003 9:36 AM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] AD, Logon times & Custom messages > > > Greetings all. > I'm new to the list and very new to AD. > > I have successfully set up my server for our LAN. DNS functions > correctly (so far, no error messages), etc. > > The question I would like to start off with first is this: > > Under Active Directory, you can specify Logon times for a user. > > What I would like to know is this: > Can you customize the message that comes up when a user tries to logon > during the prohibited time? > > I haven't seen this listed in the MSKB, and I didn't turn up anything > via google. > > > TIA > > Charlie > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Taking DC Offline
In a way you should be happy they asked you, before just running a password guessing tool against the domain... Ofcourse that won't necessarily be destructive - unless you have configured Account Lockout for X nr. of logons, which I always consult my customers to do. But if your AD domain spans multiple countries/locations or simply a large population of users (which might previously have been separate NT domains) - you're suddenly very vulnerable afterall... I've seen auditors from one location run their magic tools unanounced to any admin against the AD domain spanning the United States - voila, just like an attack from a hacker, that domain was quickly seizing to work for any user with logins and eMail etc. failing all over the place (thankfully admin accounts were hidden in AD and thus not known to the tool used by the auditors) Wasn't hard to find the issue and yell at the folks - but try to quickly revert the status of many hundreds of locked out users... So now we're prepared for these situations via a scripting solution - I would suggest everyone to prepare something for their own environment as well. Nothing like being caught off guard. /Guido From: Simpsen, Paul A. (HSC) [mailto:[EMAIL PROTECTED] Sent: Montag, 7. Juli 2003 03:25To: [EMAIL PROTECTED] The whole purpose of this is all political. It has already been decided to enable password complexity but to help make the campus more agreeable ( we are an edu!) our Security director wants to shoot them some stats. The % of PW’s that they could crack, etc… Why this is good for you, you know the deal. I’m still hoping my boss will see the light and just say no! J Thanks for all the responses, there might be some other options. Paul -Original Message-From: Rick Kingslan [mailto:[EMAIL PROTECTED]] Sent: Friday, July 04, 2003 4:51 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Taking DC Offline Paul, I'm somewhat mystified by the request. I might be completely missing the point, but unless the scan is going to be destructive, what is the value of giving the Security Director a DC that has been taken off-line? I do agree with what others have said here to this point (remove connection objects, clean up the objects from the DIT via NTDSUTIL, etc.), but the value of the work that is being done is still questionable. The DC is no longer in your environment, which from the standpoint of testing the security or the password complexity, makes it no longer a viable environment to do such. And, if the process is going to be destructive, is this something that they will want to do on a quarterly basis (again with questionable value in the security realm)? Also, do your Security Analysts already have Administrative context access? If not, all passwords of this type should be nulled out. Even if they do - those that are not theirs should be erased as well. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simpsen, Paul A. (HSC)Sent: Thursday, July 03, 2003 4:32 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Taking DC Offline Our Security Director has requested that we build a temporary DC for his group. They want to take it offline and audit the current password complexity and strength. This DC will never return to the domain so I will have to manually remove the replication connections in the NTDS settings for each repl partner, plus the DNS records created. I’m just wondering if I’m missing something obvious and that this might not be such a good idea. Possibility of orphaned objects or something to that nature? It won’t be online long but….. Paul Simpsen Windows Server Administrator Enterprise Systems, IT University of Oklahoma HSC 405.271.2262 ext 50230 Fax: 405.271.2126 CONFIDENTIALITY NOTICE: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please destroy all copies of this communication and any attachments.
[ActiveDir] AD, Logon times & Custom messages
Greetings all. I'm new to the list and very new to AD. I have successfully set up my server for our LAN. DNS functions correctly (so far, no error messages), etc. The question I would like to start off with first is this: Under Active Directory, you can specify Logon times for a user. What I would like to know is this: Can you customize the message that comes up when a user tries to logon during the prohibited time? I haven't seen this listed in the MSKB, and I didn't turn up anything via google. TIA Charlie List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD DOS vulnerability
Could you expand on what the specific vulnerability is there? I've not heard that terminology before. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -Original Message- > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > Sent: Friday, July 04, 2003 5:42 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] AD DOS vulnerability > > > Joe, > > Unfortunately, one of the biggest issues with AD can't be > addressed with an > upgrade, and that's the Security vulnerability from > cross-domain admins. > Looking to NetPro's monitoring tool to aid in this as a > 'burglar alarm'. > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Joe > Sent: Friday, July 04, 2003 10:21 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] AD DOS vulnerability > > Also note that there is another D.O.S. capable bug that SP4 fixes if I > recall correctly. It was something with referrals. > > Note that there are several things that can be done to W2K AD > by a bright > programmer with internal access who has had a chance to sit > back and think > about it that can hurt AD. Some only require having an > account in AD, some > requiring a machine account. Won't give details here or > anywhere due to > social conscience and not willing to expose shit that could hurt me > personally but they are there... Move to W2K3 when you can as > that may help > based on some of the newer docs I have seen. > > I agree with what everyone else has said on SP4... Test test > test, then > deploy. When you do have an issue, post back here or in the > newsgroups so > others can learn of the experience. Even if you call MS and > they say, nope, > no one is having that issue. I have found that they know of > things but won't > come fully forward with them until some minimum number of > customers/people > have complained. > > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd > (NIH/CIT) > Sent: Thursday, July 03, 2003 10:04 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] AD DOS vulnerability > > > Thanks Everyone for the great information. We have already > begun patching > the systems as a result of the information from the list. > > Todd Myrick > > -Original Message- > From: Robert Moir [mailto:[EMAIL PROTECTED] > Sent: Thursday, July 03, 2003 8:53 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] AD DOS vulnerability > > > I'd certainly concur with the idea of using the hotfix before rushing > SP4 out of the door without the usual acceptance testing but > it might be > worth remembering that someone who is posting from an educational > establishment is in an environment where malicious attacks from within > the network are not just possible, or likely, but are simply > another day > at the office. > > > -Original Message- > > From: Tony Murray [mailto:[EMAIL PROTECTED] > > Sent: 03 July 2003 12:51 > > To: [EMAIL PROTECTED] > > Subject: Re: [ActiveDir] AD DOS vulnerability > > > > Given that this vulnerability can generally only be > exploited through > > malicious use from *within* the network (at least for most > > organisations), you may want to hold off on SP4. This will > depend on > > your assessment of the threat in your environment. SP4 was only > > released last week and it is usually prudent to wait to see if any > > major bugs appear before installing it. I'm sure you remember the > > problems introduced by Windows NT 4.0 SP6, which were then urgently > > fixed in SP6a? > > > > You could always install the hotfix first and hold off a > while on SP4. > > > > More info on this vulnerability here: > > > > http://www.coresecurity.com/common/showdoc.php?idx=351&idxseccion=10 > > > > Tony > > -- Original Message -- > > Wrom: NKMBIPBARHDMNNSKVFVWRKJVZCMHVIBGDADRZFSQHYUC > > Reply-To: [EMAIL PROTECTED] > > Date: Thu, 3 Jul 2003 11:10:44 +0100 > > > > I received notification about a vulnerability in AD this morning - > > details are at > > http://support.microsoft.com/default.aspx?kbid=319709 > > > > It looks like the recommended fix is to upgrade my DCs to SP4. > > > > I was planning to wait a lot longer before I inflict SP4 on any > > machines that I care about, but it looks like this might > force my hand > > > a bit. What's everyone else doing? > > > > Has anyone heard of *any* problems with SP4 yet? > > > > -- > > Steve Bennett, Systems Support > > Lancaster University > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ: http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Taking DC Offline
Title: Message The security folks *shouldn't* be admins. Kinda defeats the purpose in a lot of ways. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Joe [mailto:[EMAIL PROTECTED] Sent: Friday, July 04, 2003 11:14 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Taking DC Offline How are they planning on doing those tests? If they just want to test the password complexity/strength it isn't required to give them a whole DC, only a hash dump of the password in the DIT which can be done via pwdump3. Then they can use lc3/4 to go through the text file hash dump. There is no faster way that I am aware of to test those things. In the meanwhile I think I would also remove any ADMIN ID's from that hash if the security folks aren't already admins. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simpsen, Paul A. (HSC)Sent: Thursday, July 03, 2003 5:32 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Taking DC Offline Our Security Director has requested that we build a temporary DC for his group. They want to take it offline and audit the current password complexity and strength. This DC will never return to the domain so I will have to manually remove the replication connections in the NTDS settings for each repl partner, plus the DNS records created. I'm just wondering if I'm missing something obvious and that this might not be such a good idea. Possibility of orphaned objects or something to that nature? It won't be online long but. Paul Simpsen Windows Server Administrator Enterprise Systems, IT University of Oklahoma HSC 405.271.2262 ext 50230 Fax: 405.271.2126 CONFIDENTIALITY NOTICE: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please destroy all copies of this communication and any attachments.
RE: [ActiveDir] Domain Rename
Absolutely. We spent 3 days doing whois searches for available domain names through the Internic before we found a pair of sufficiently generic ones to use. And my Exchange org is named, funny enough, "Exchange" Then again, it was during our divestiture from our previous owners, and we had a legal name but were not using it for business operations. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -Original Message- > From: Glenn Corbett [mailto:[EMAIL PROTECTED] > Sent: Wednesday, July 02, 2003 2:01 AM > To: [EMAIL PROTECTED] > Subject: Re: [ActiveDir] Domain Rename > > > Hence why its a good idea to NOT include the actual company > name in the > forest or domain names. Means you dont have to change it > when the comany > names changes (except for your Exchange smtp addresses, which > can be done > independant of the domain name anyway). > > Been down this road too many times, its easier just to avoid > the problem > altogether :) > > My $0.02 > > Glenn > > - Original Message - > From: "Rick Kingslan" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, July 02, 2003 3:04 PM > Subject: RE: [ActiveDir] Domain Rename > > > > You're quite correct. If you have an E2K/E2k3 ORG, you > still have a bit > of > > a problem. You can rename the domain, the ORG however - > another issue > > altogether. > > > > Rick Kingslan MCSE, MCSA, MCT > > Microsoft MVP - Active Directory > > Associate Expert > > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > > Sent: Tuesday, July 01, 2003 9:55 PM > > To: [EMAIL PROTECTED] > > Subject: Re: [ActiveDir] Domain Rename > > > > As far as I know, MS has still not addressed the issues > that Exchange has > > with Domain Rename, even in Windows 2003. This is something > to bear in > mind, > > if you have Exchange in the mix. > > > > The last litterature I read (admittedly, it's a while > back), indicates > that > > domain rename in a pre-existing Exchange Domain is officially "not > > suported". > > > > I have been known to be a little tardy in my information, though. > > > > HTH > > > > Deji Akomolafe > > > > - Original Message - > > From: "Jan Wilson" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Tuesday, July 01, 2003 5:58 PM > > Subject: Re: [ActiveDir] Domain Rename > > > > > > > > > > Thanks Rick - we find the two reboots per device > requirement a bit ... > > > tricky. (24 x 7 operations with 450 servers - 12500 > workstations - 85 > > > sites). > > > > > > Sounds like a mess of work for what I consider optics! > > > > > > > > > - Original Message - > > > From: "Rick Kingslan" <[EMAIL PROTECTED]> > > > To: <[EMAIL PROTECTED]> > > > Sent: Tuesday, July 01, 2003 5:08 PM > > > Subject: RE: [ActiveDir] Domain Rename > > > > > > > > > > Jan, > > > > > > > > Key point is that you must be in Windows Server 2003 > Forest Functional > > > Mode > > > > - only W2k3 DCs in the forest. It's not anywhere near > as bad as it > > looks. > > > > Not anywhere as daunting as the road to Windows 2000 Native > > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Question About Schema Extensions.... Chicken or Egg
Title: Message Any way you could define what "minor functionality" is? -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Benton Wink {winkb} [mailto:[EMAIL PROTECTED] Sent: Friday, June 27, 2003 12:08 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Question About Schema Extensions Chicken or Egg You do NOT have to have the Server 2003 AD schema extensions for Exchange 2003. You lose some minor functionality, nothing major. We are currently in production with Exchange 2003 w/o Server 2003 AD. Benton Chase Wink From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT)Sent: Friday, June 27, 2003 10:15 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Question About Schema Extensions Chicken or Egg We just learned that Exchange 2003 will be RTM next week. And the Exchange lead is chomping at the bit to extend the schema for it. We have two problems, we have not extended the schema for Windows 2003, and we have a site design that has some replication issues due to firewalls. We are in the process of fixing and optimizing the site design. The question I have is Windows 2003 schema extensions required before Exchange 2003 ones. The reason why I ask is because I though I remembered that Andres Luther at the DEC 2003 saying that there were two bug fixes for Exchange 2000 schema extensions in the Windows 2003 schema extensions. Thanks, Todd Myrick
RE: [ActiveDir] Password Complexity
Title: Message Cathy is indeed correct. During 2 separate migrations I saw this specific issue, but I believe it was limited to downlevel clients. At some point after go live date, we switched on the password complexity requirement for the domain. At the next password expiry interval, any user attempting to change their password from a downlevel client (definitely 9x, and I believe also NT4, neither with the AD client installed) starting with a non-complex password would receive an Invalid Password response when attempting to change their password. The only way the users were able to actually change their password from a downlevel machine was for an admin to reset their password to one meeting the complexity requirements. This was either AD running on either SP1 or SP2 boxes (I want to say SP2). Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: O'Brien, Cathy [mailto:[EMAIL PROTECTED] Sent: Monday, June 30, 2003 5:42 PMTo: [EMAIL PROTECTED]Cc: Roger SeielstadSubject: RE: [ActiveDir] Password Complexity It seems like Roger Seielstad has given warnings about this issue. Roger? -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED]] Sent: Monday, June 30, 2003 3:32 AM To: [EMAIL PROTECTED] I've not heard of an issue like this. In fact I've seen situations where user accounts have been migrated along with weaks passwords from Windows NT 4.0 domains to an AD domain with password complexity enabled. When the users subsequently change the password in the AD domain there is no issue. It could be an over simplification, but I think this has to do with the password itself not being stored - just the hash. From the hash information the system is unable to determine whether old password meets the password complexity (or indeed other password policies) or not. Because of this there should never be a problem with the old password not meeting the new password policy requirements. There were some fixes for certain password issues included in SP3, so it would be good to make sure you are not running SP2 or earlier. Tony _ Wrom: EAIJJPHSCRTNHGSWZIDREXCAXZOWCONEUQZAAFXISHJEXXIMQ Sent: Freitag, 27. Juni 2003 19:32 To: [EMAIL PROTECTED] In July we are going to enable password complexity. I know I've seen issues with this on the list but am unable to connect to the archives. I believe the issue was that if your old pw didn't meet the requirements then you were unable to change your pw. Is this correct and has anyone experienced this issue? I have also searched for a KB on this issue but don't seem to be able to find one. (if a KB is there it won't be the first time I couldn't find one...) TIA Paul Simpsen Windows Server Administrator Enterprise Systems, IT University of Oklahoma HSC 405.271.2262 ext 50230 Fax: 405.271.2126 CONFIDENTIALITY NOTICE: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please destroy all copies of this communication and any attachments. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/