Re: Share Point?

From: Bronek Kozicki (
Date: 05/10/03

  • Next message: Marc Fossi: "SecurityFocus Microsoft Newsletter #136"
    To: "Matt Andreko" <>, "'Roberts Phillip (IBM)'" <>, "'Derek Schaible'" <>, <>
    Date: Sat, 10 May 2003 12:22:11 +0200

    Matt Andreko <> wrote:
    > Going with that, do you really want your anonymous users visiting your
    > domain controller? If the machine gets compromised, the user has
    > domain
    > privileges. This negates all the security, unless it's a domain
    > controller for a domain with 0 clients.

    If AD is being used only locally by IIS server, is not connected to any
    other computer (nor used by internal services or anything inside or
    outside DMZ, nor connected to some domain tree) , then LocalSystem
    priviledges can't be propagated to other computers. In such situation
    there's no difference between compromised AD and compromised SAM.
    Moreover, AD delivers some mechanics which can lower risk of machine
    compromise (GPO, Kerberos authentication etc.). I know it sounds
    strange, but if IIS server is logically isolated from the outside world
    (including other servers in DMZ) i DO recommend setting up AD on it.
    LocalRoot compromise can not do more harm (compared to situation when
    server has SAM only) because it's used only locally on this computer,
    but can be better prevented. Of course in perfect world you would have
    separate IIS (maybe load balancing cluster) and AD controler(s), all in
    DMZ .


    FastTrain has your solution for a great CISSP Boot Camp. The industry`s most
    recognized corporate security certification track, provides a comprehensive
    prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization
    of pertinent security tools. For a limited time you can enter for a chance
    to win one of the latest technological innovations, the SEGWAY HT.
    Log onto

  • Next message: Marc Fossi: "SecurityFocus Microsoft Newsletter #136"

    Relevant Pages

    • Re: [Full-disclosure] SMS Banking
      ... " It looks like Craig has defined parts of his model too narrowly, ... compromise of the SMS system and the user authentication methods, ... least one variant of risk management modelling and mitigation (even if it is ... baseline the security of the system into the longer term. ...
    • Re: Your Opinion +
      ... and RealNetworks regarding Windows Media Player back in 2003, lets say for discussion, MS now turn around and offer up their 'Security Applications' for free. ... Those things aren't even usually called "security software" -- for example, use of Mozilla-based browser makes Windows desktop more secure not because Mozilla-based browsers are designed as "security software" but because it allows the user to not use Internet Explorer, and it contains less, shorter living or easier to avoid vulnerabilities than the product it replaces. ... Software that runs on potentially compromised computers looking for signatures, altered files, inconsistent responses from system interfaces and other evidence of compromise. ...
    • Re: recommended Virus Scanner?
      ... > This is totally piling on, but given this recent security compromise, ... you don't need to worry about viruses for GNU/Linux. ... - Yes, security matters. ... - The Debian project compromise, ...
    • Re: Root toolkits on Windows
      ... There are a number security issues with NTFS. ... but this class of tools is by no means a new threat. ... compromise, and how to respond when an exploit occurs. ... Currently the web browser is the #1 tool for exploitation. ...
    • Re: rkhunter
      ... It seems I was more paranoid than you! ... Security is not about being paranoid about everything. ... Your original question was about detecting if you've been compromised. ... That's not prevention, that's detecting a compromise. ...