RE: [ActiveDir] ADAM on XP Pro
My first thought is yuck. My second thought is this is insecure from multiple angles and really a poor use of ADAM. Sounds like an ultra poor attempt at making a datacenter app work on the road. I like where Idan's was going... Some sort of local cached password for the local version of the app. Once back online and talking to the real app the cache gets refreshed. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Wednesday, October 04, 2006 10:34 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] ADAM on XP Pro I've been talking to a vendor about an application they are developing. It involves running ADAM instances on XP Pro machines (laptops) that replicate with a centralised ADAM instance running on W2K3. I don't have further details at this stage, but I believe the they are planning to use the local ADAM instance to authenticate laptop users to an application when they are off-line. In addition to security concerns with this approach, I'm not really comfortable with the idea of ADAM instances on laptops being part of a configuration set. I had always understool ADAM on XP to be used for a personal data store (http://technet2.microsoft.com/WindowsServer/en/library/29fb059e-544c-4577-b f7c-ba4b08df48431033.mspx?mfr=true). Any thoughts on this? Tony Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] ADAM on XP Pro
I had an exchange with a vendor who was planning on a similar approach: http://groups.google.co.uk/group/microsoft.public.windows.server.active_ directory/browse_frm/thread/83248bf50f9f76ec/2aac67203f612e2a my summary, see the end of the archived thread, was that they should talk to Microsoft about this use of the replication model as it did not seem appropriate use of a multimaster replication model to me. Even if we had RO ADAM instances I still think it would be a pain to manage... let us know how you get on Thanks Lee Flight On Wed, 4 Oct 2006, Tony Murray wrote: Thanks Dmitri Yes, my security concern was with regard to laptop theft. As you say, these are ADAM and not AD accounts, so the risk of compromise is localised to the application. Good tip about EFS (even if I'm not a big fan of it generally). There may be other options (e.g. hardware encryption). I will give some further thought to the potential replication issues you mention when I know more about the application - I haven't managed to get my hands on it yet :-) Tony -- Original Message -- From: Dmitri Gavrilov [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Date: Wed, 4 Oct 2006 20:18:28 -0700 ADAM on XP is no different from ADAM on w2k3 security-wise. The big differences are that it is throttled somewhat perf-wise, and also there's no auditing. I do not see any serious security problems with this approach. Unless you are thinking that somebody steals the laptop, cracks the DIT open and brute-forces the pwd hashes? Store the DIT on an EFS volume then. In any case, these are ADAM users, not windows... The only problem will be replication -- instances will complain that they are unable to replicate when in offline mode. Perhaps this can be resolved by creating a separate site for every instance and setting up manual links to the hub instance. Hmm. Not sure. I guess it depends on how long they'll stay offline. KCC is not really optimized to work well in such scenarios. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Wednesday, October 04, 2006 7:34 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] ADAM on XP Pro I've been talking to a vendor about an application they are developing. It involves running ADAM instances on XP Pro machines (laptops) that replicate with a centralised ADAM instance running on W2K3. I don't have further details at this stage, but I believe the they are planning to use the local ADAM instance to authenticate laptop users to an application when they are off-line. In addition to security concerns with this approach, I'm not really comfortable with the idea of ADAM instances on laptops being part of a configuration set. I had always understool ADAM on XP to be used for a personal data store (http://technet2.microsoft.com/WindowsServer/en/library/29fb059e-544c-45 77-bf7c-ba4b08df48431033.mspx?mfr=true). Any thoughts on this? Tony List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] ADAM on XP Pro
A hybrid approach to storing it on EFS would be to use a laptop specific protection program. Something that encrypts the harddrive and prevents the laptop from being hacked via off-line means. This may or may not mitigate the legal concerns, but it would help to protect the data on a laptop that's gone missing. Saying that, I'm trying to see the benefit of using ADAM for, in essence a single user application. Seems overkill in my mind. If they want to have centralized control over the identities in an off-line fashion, then I suggest that ADAM might not be the right technology for their needs. As the others have alluded to, the replication would be difficult to manage as it's not really intended to be managed that way in my opinion. And relying on the client to sync up with the mothership is no way to enforce security. That's similar to asking a child to make sure he guards the cookie jar from himself. :) AlOn 10/5/06, Lee Flight [EMAIL PROTECTED] wrote: I had an exchange with a vendor who was planning on a similar approach:http://groups.google.co.uk/group/microsoft.public.windows.server.active_ directory/browse_frm/thread/83248bf50f9f76ec/2aac67203f612e2amy summary, see the end of the archived thread, was that theyshould talk to Microsoft about this use of the replication modelas it did not seem appropriate use of a multimaster replication model to me. Even if we had RO ADAM instances I still think itwould be a pain to manage... let us know how you get onThanksLee FlightOn Wed, 4 Oct 2006, Tony Murray wrote: Thanks Dmitri Yes, my security concern was with regard to laptop theft.As you say, these are ADAM and not AD accounts, so the risk of compromise is localised to the application.Good tip about EFS (even if I'm not a big fan of it generally).There may be other options ( e.g. hardware encryption). I will give some further thought to the potential replication issues you mention when I know more about the application - I haven't managed to get my hands on it yet :-) Tony -- Original Message -- From: Dmitri Gavrilov [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Date:Wed, 4 Oct 2006 20:18:28 -0700 ADAM on XP is no different from ADAM on w2k3 security-wise. The big differences are that it is throttled somewhat perf-wise, and also there's no auditing. I do not see any serious security problems with this approach. Unless you are thinking that somebody steals the laptop, cracks the DIT open and brute-forces the pwd hashes? Store the DIT on an EFS volume then. In any case, these are ADAM users, not windows... The only problem will be replication -- instances will complain that they are unable to replicate when in offline mode. Perhaps this can be resolved by creating a separate site for every instance and setting up manual links to the hub instance. Hmm. Not sure. I guess it depends on how long they'll stay offline. KCC is not really optimized to work well in such scenarios. -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tony Murray Sent: Wednesday, October 04, 2006 7:34 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] ADAM on XP Pro I've been talking to a vendor about an application they are developing. It involves running ADAM instances on XP Pro machines (laptops) that replicate with a centralised ADAM instance running on W2K3.I don't have further details at this stage, but I believe the they are planning to use the local ADAM instance to authenticate laptop users to an application when they are off-line. In addition to security concerns with this approach, I'm not really comfortable with the idea of ADAM instances on laptops being part of a configuration set.I had always understool ADAM on XP to be used for a personal data store ( http://technet2.microsoft.com/WindowsServer/en/library/29fb059e-544c-45 77-bf7c-ba4b08df48431033.mspx?mfr=true). Any thoughts on this? TonyList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] ADAM on XP Pro
Hi Tony, I agree with your concern. I don't want to go off topic, or push someone elses product, but Citrix Password Manager will do this, and provide complete security. It can run in disconnected mode and does not need a Citrix server in-place for it to work. I'm sure there are other solutions out there too, but if it's just authentication they need, then this is the one I would recommend if you wanted a software based solution. A product like Citrix Password Manager can add a lot more value too. Whereas this ADAM application they are developing sounds like a considerable amount of development for just one purpose. That usually means big bucks. Cheers. Kind regards, Jeremy Saunders Senior Technical Specialist Infrastructure Technology Services (ITS) Cerulean Global Technology Services (GTS) IBM Australia Level 2, 1060 Hay Street West Perth WA 6005 Visit us at http://www.ibm.com/services/au/its P: +61 8 9261 8412F: +61 8 9261 8486 M: TBAE-mail: [EMAIL PROTECTED] Tony Murray [EMAIL PROTECTED] rgTo Sent by: [EMAIL PROTECTED] [EMAIL PROTECTED] cc ail.activedir.org Subject [ActiveDir] ADAM on XP Pro 05/10/2006 10:33 AM Please respond to [EMAIL PROTECTED] tivedir.org I've been talking to a vendor about an application they are developing. It involves running ADAM instances on XP Pro machines (laptops) that replicate with a centralised ADAM instance running on W2K3. I don't have further details at this stage, but I believe the they are planning to use the local ADAM instance to authenticate laptop users to an application when they are off-line. In addition to security concerns with this approach, I'm not really comfortable with the idea of ADAM instances on laptops being part of a configuration set. I had always understool ADAM on XP to be used for a personal data store ( http://technet2.microsoft.com/WindowsServer/en/library/29fb059e-544c-4577-bf7c-ba4b08df48431033.mspx?mfr=true ). Any thoughts on this? Tony Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] ADAM on XP Pro
ADAM on XP is no different from ADAM on w2k3 security-wise. The big differences are that it is throttled somewhat perf-wise, and also there's no auditing. I do not see any serious security problems with this approach. Unless you are thinking that somebody steals the laptop, cracks the DIT open and brute-forces the pwd hashes? Store the DIT on an EFS volume then. In any case, these are ADAM users, not windows... The only problem will be replication -- instances will complain that they are unable to replicate when in offline mode. Perhaps this can be resolved by creating a separate site for every instance and setting up manual links to the hub instance. Hmm. Not sure. I guess it depends on how long they'll stay offline. KCC is not really optimized to work well in such scenarios. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Wednesday, October 04, 2006 7:34 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] ADAM on XP Pro I've been talking to a vendor about an application they are developing. It involves running ADAM instances on XP Pro machines (laptops) that replicate with a centralised ADAM instance running on W2K3. I don't have further details at this stage, but I believe the they are planning to use the local ADAM instance to authenticate laptop users to an application when they are off-line. In addition to security concerns with this approach, I'm not really comfortable with the idea of ADAM instances on laptops being part of a configuration set. I had always understool ADAM on XP to be used for a personal data store (http://technet2.microsoft.com/WindowsServer/en/library/29fb059e-544c-45 77-bf7c-ba4b08df48431033.mspx?mfr=true). Any thoughts on this? Tony Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] ADAM on XP Pro
Thanks Dmitri Yes, my security concern was with regard to laptop theft. As you say, these are ADAM and not AD accounts, so the risk of compromise is localised to the application. Good tip about EFS (even if I'm not a big fan of it generally). There may be other options (e.g. hardware encryption). I will give some further thought to the potential replication issues you mention when I know more about the application - I haven't managed to get my hands on it yet :-) Tony -- Original Message -- From: Dmitri Gavrilov [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Date: Wed, 4 Oct 2006 20:18:28 -0700 ADAM on XP is no different from ADAM on w2k3 security-wise. The big differences are that it is throttled somewhat perf-wise, and also there's no auditing. I do not see any serious security problems with this approach. Unless you are thinking that somebody steals the laptop, cracks the DIT open and brute-forces the pwd hashes? Store the DIT on an EFS volume then. In any case, these are ADAM users, not windows... The only problem will be replication -- instances will complain that they are unable to replicate when in offline mode. Perhaps this can be resolved by creating a separate site for every instance and setting up manual links to the hub instance. Hmm. Not sure. I guess it depends on how long they'll stay offline. KCC is not really optimized to work well in such scenarios. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Wednesday, October 04, 2006 7:34 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] ADAM on XP Pro I've been talking to a vendor about an application they are developing. It involves running ADAM instances on XP Pro machines (laptops) that replicate with a centralised ADAM instance running on W2K3. I don't have further details at this stage, but I believe the they are planning to use the local ADAM instance to authenticate laptop users to an application when they are off-line. In addition to security concerns with this approach, I'm not really comfortable with the idea of ADAM instances on laptops being part of a configuration set. I had always understool ADAM on XP to be used for a personal data store (http://technet2.microsoft.com/WindowsServer/en/library/29fb059e-544c-45 77-bf7c-ba4b08df48431033.mspx?mfr=true). Any thoughts on this? Tony Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] ADAM on XP Pro
Hi Tony, I would think the only security risk with doing this is that if a laptop is stolen, the entire contents of the directory, rather than just this user's credentials, could be compromised. In today's regulatory environment, where full disclosure of compromises, including theft of data-laden hardware or media, is often legally mandated, this could be disastrous. Obviously, I could be over-reaching here - I don't know anything about the organization and therefore about relevant legislation, but you should think about that possibility, if for no other reason than to assure yourself that it does not apply. The operational impact of replicating ADAM all over the place is that you're dropping a large-ish piece of software on many workstations, and they don't really need it. There may also be more replication traffic and load on the central server than you might want. A simpler solution, I would think, would be for this app to cache on disk an encrypted copy of the current user's LDAP object whenever the user successfully authenticates to the central ADAM. If the user wants to use the app offline, the app would detect the fact that the hardware it's on happens to be offline at startup (that's easy to do), and authenticate the user against the disk image of the last user object. In case your vendor doesn't know how to tell whether a machine is online -- give them this C++ code snippet to get them started: // get the list of interfaces rcode = WSAIoctl( s, SIO_GET_INTERFACE_LIST, NULL, 0, (LPVOID) iInfo, sizeof(INTERFACE_INFO) * MAX_INTERFACES, numBytes, NULL, NULL ); This approach is roughly how cached credentials in Windows allow users to sign onto their laptops with domain credentials while disconnected. Bottom line: this method is pretty simple, doesn't require any special software running on the PC, and limits the impact of a theft or compromise of the user's workstation. Good luck, -- Idan Shoham Chief Technology Officer M-Tech Information Technology, Inc. [EMAIL PROTECTED] http://mtechIT.com Please visit M-Tech at the Gartner Symposium ITxpo: At the WDW Dolphin Hotel near Orlando, FL, October 8-13, Booth #1428 http://www.gartner.com/it/sym/2006_/sym16/sym16_home.jsp The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. On Wed, 4 Oct 2006, Tony Murray wrote: I've been talking to a vendor about an application they are developing. It involves running ADAM instances on XP Pro machines (laptops) that replicate with a centralised ADAM instance running on W2K3. I don't have further details at this stage, but I believe the they are planning to use the local ADAM instance to authenticate laptop users to an application when they are off-line. In addition to security concerns with this approach, I'm not really comfortable with the idea of ADAM instances on laptops being part of a configuration set. I had always understool ADAM on XP to be used for a personal data store (http://technet2.microsoft.com/WindowsServer/en/library/29fb059e-544c-4577-bf7c-ba4b08df48431033.mspx?mfr=true). Any thoughts on this? Tony Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
