RE: Windows 2000 password policy

From: Jim Barrett (jimb_at_ins.com)
Date: 06/24/03

  • Next message: mae_at_ium.no: "Search for files and folders fails" 
    To: "'David Stevens'" <dstevens@andrew.cmu.edu>, <focus-ms@securityfocus.com>
Date: Tue, 24 Jun 2003 11:17:55 -0400

    Well that depends on whether you are talking Microsoft pre-W2K3 or post
    W2K3.

    If you look at MS's documentation for W2K, the domain was the security
    boundary. It only got called into question about a year or so ago when
    the inter-domain trust and privilege escalation issues came into view.

    I agree that from what we know now, the true security boundary for W2K
    and W2K3 is the Forest, however, in the context of the question,
    password policy is set at the domain level not the forest level, and
    therefore, my answer in context was correct.

    Or did you just mean to nit-pick?

    Jim Barrett, MCSE, CISSA, CISSP, CCNP
    Principal Consultant
    International Network Services
    Boston, MA

    -----Original Message-----
    From: David Stevens [mailto:dstevens@andrew.cmu.edu]
    Sent: Tuesday, June 24, 2003 8:06 AM
    To: focus-ms@securityfocus.com
    Subject: RE: Windows 2000 password policy

    --On Monday, June 23, 2003 4:59 PM -0400 you wrote Jim Barrett
    <jimb@ins.com> wrote:

    > Nope. You can't get there from here as the saying goes. This is
    > because Windows 2000 had to maintain backward compatibility with NT
    4.0,
    > and in NT 4, the Domain was the security boundary. Same is true with
    > W2k/W2k3.

    errr. Correction. The forest is the security boundary in Win2k/Win2k3.

    Dave Stevens
    Carnegie Mellon University

    ------------------------------------------------------------------------
    -----
    ------------------------------------------------------------------------
    ------

    -----------------------------------------------------------------------------
    ------------------------------------------------------------------------------

  • Next message: mae_at_ium.no: "Search for files and folders fails"

    Relevant Pages

    • Windows 2000 SIDHistory Escalation Attack
      ... when Microsoft introduced the Windows 2000 domains within ... all part of the same forest, they are able to share a common global ... means of modifying the SIDHistory attribute, ... security barrier. ...
      (NT-Bugtraq)
    • Re: Site or Domain
      ... Domain aren't security Boundaries, ... forest, and they are not themselves the ultimate security boundary. ... Each Active Directory domain is authoritative for the ... Domain controller hardware and security facilities Each Windows Server ...
      (microsoft.public.windows.server.active_directory)
    • RE: Active Directory network security
      ... >Subject: RE: Active Directory network security ... >X-Mailer: Microsoft Outlook, Build 10.0.2627 ... In fact the only true security boundary in AD is a forest. ... >Domain Admins must be fully trusted. ...
      (Focus-Microsoft)
    • RE: Active Directory network security
      ... In fact the only true security boundary in AD is a forest. ... Domain Admins must be fully trusted. ... use group policies like crazy. ...
      (Focus-Microsoft)
    • Re: Reasons for Empty (headless root) Root
      ... I am very interested in learning more about how the security is between domain and domain vs forest. ... I quickly and easily compromised a root domain from a child domain for the first time in about May 2000 showing how simple it was and nothing has changed. ... Domains are sort of a replication boundary, the config and schema replicate across all DCs in a forest and also obviously GCs replicate across domain NC boundaries. ...
      (microsoft.public.windows.server.active_directory)