RE: Active Directory network security

From: J. . (bugtraqlist@hotmail.com)
Date: 11/12/02 

From: "J. ." <bugtraqlist@hotmail.com>
To: focus-ms@securityfocus.com
Date: Tue, 12 Nov 2002 17:16:38 +0000

>Does anyone have any experience of such a situation?
I am currently in the exact same situation in a migration project at our
organization.

>Is it as bad as I fear, or is Microsoft A/D secure?
AD's group policies can be used to keep AD itself pretty secure, but opening
up your firewalls or removing them can open up a whole slew of network based
attacks (that don't depend on AD) between areas of your organization that
were not possible while the firewalls were in place. For example, every
member of an AD domain following all the rules and policies can be locked
down tightly for security within AD, but a rogue laptop that is not a domain
member can now run a penetration test against any IP address on your network
if there are no firewalls.

>Are there are documented cases of this type of migration going wrong >due
>to security being overlooked?
Check out this article:
http://www.microsoft.com/windows2000/techinfo/planning/activedirectory/addeladmin.asp

When Microsoft first touted Active Directory they pushed for a Single Forest
design with multiple domains for each business unit. These domains were
originally portrayed as security barriers within the forest. The above
article shows that domains should _not_ be considered security barriers, and
the forest is actually the security barrier. This pushes us back to an NT4
style with separate silo's of security. Domains in Active Directory are
administrative boundaries, not security boundaries.

(MS will want you to create multiple forests for security reasons and then
talk about their new "Federated Forest" prodocts coming out and about how
.NET will support kerberos trusts between forests)

After conversations with Microsoft, our organization and Microsoft both
agreed that multiple domains within a Forest are possible only if _all_
domain administrators in every domain are completely trusted among each
other. The fact (stated in the paper) is that a domain admin in domain A
can overcome AD security to affect domain B, or any other domain in the
forest for that matter. This is why trusting the domain admins is such a
concern in deploying Active Directory.

The other big issue is physical security of the Domain Controllers - an
offline modification of the forest schema (this is stored on all DC's) can
be uploaded into the distributed AD forest once the DC is back online. This
means if you have a remote office DC with no physical security, a hacker on
site modifying the schema can then "own" your entire forest.

For recommendations to make a secure deployment... If you haven't already,
use group policies like crazy. Use baseline server policies and then
special application policies to slap on top of those baseline policies.
(Example: apply baseline policy, then apply IIS policy on IIS servers)
Desktops need good regulation of group policies as well. The NSA's
documentation of group policies and recommended settings is a good place to
start. Not all of it will work in your environment, but it's great info.
Auditing is also very important - audit changes in domain admin groups,
Domain Controller downtime, etc... Audit everything that is potentially a
security concern in AD.

>For example, could a compromised workstation in a remote site affect >the
>workstations or servers in another domain?
For limiting the exposure of a compromised PC to affect other PC's, we also
set the group policy setting to only allow our Desktop Admin group and
Domain Admin group to connect to the PC's over the network. This way if all
PC's have the same admin account since they are all imaged, a user could not
crack the password and use that account to "hack" into every PC on your
network. This also stops unwanted file sharing between PC's and keeps their
work data on the servers so they can be backed up nightly.

I hope this helps,

-Jared

_________________________________________________________________
STOP MORE SPAM with the new MSN 8 and get 2 months FREE*
http://join.msn.com/?page=features/junkmail

Relevant Pages

  • Re: Are Domains True Security Boundaries?
    ... The ONLY true bondary of security is the Forest. ... So if you do not trust a group of "domain admin" who for whatever reason you ... > We feel that adding a second domain and giving untrusted domain admin ...
    (microsoft.public.windows.server.active_directory)
  • Re: Configure an Empty Root in Active Directory
    ... > an empty root domain would not offer any security benefit because if the ... > root domain in the forest has been compromised, ... Also there are ways that a skilled malicious domain admin in any ... > To protect your domain it would be good to read the Windows 2003 Server ...
    (microsoft.public.windows.server.security)
  • RE: Active Directory network security
    ... In fact the only true security boundary in AD is a forest. ... Domain Admins must be fully trusted. ... use group policies like crazy. ...
    (Focus-Microsoft)
  • Re: Are Domains True Security Boundaries?
    ... Can anyone give me a solid concrete example of what a domain admin could do ... > A Domain is a boundary of security policy only. ... > The ONLY true bondary of security is the Forest. ... >> We feel that adding a second domain and giving untrusted domain admin ...
    (microsoft.public.windows.server.active_directory)
  • Re: Site or Domain
    ... Domain aren't security Boundaries, ... forest, and they are not themselves the ultimate security boundary. ... Each Active Directory domain is authoritative for the ... Domain controller hardware and security facilities Each Windows Server ...
    (microsoft.public.windows.server.active_directory)