Re: If you hack a server joined to domain, how much info can you get ?

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 08/16/05


Date: Tue, 16 Aug 2005 12:31:28 -0500

It depends. Some create a separate forest in the dmz and then create a one
way trust to the internal network where the internal network is the trusted
domain.

Keep in mind that potentially the only thing keeping anyone from owning a
domain is the password of a domain admin. Having said that there are things
you can do to mitigate the risk of a domain computer being compromised to
escalating damage in the domain. The first is to make sure that domain users
are forced to use strong passwords. Weak passwords are still the biggest
single threat to any network. Require that any domain administrator uses a
smart card logon and their user account requires a smart card logon which
can increase security immensely. Then train domain administrators to NEVER
user there domain administrator credentials on any domain
workstations/server other than those that are known to be secure such as a
physically secured admin workstation. The risk is that a compromised domain
computer could easily use those domain administrator credentials to own the
domain. Never use a privileged domain account for a service on a domain
computer such as you describe. Frequently audit the membership of the
various administrator groups for the domain and consider using Restricted
Groups to enforce membership of those groups.

Consider using ipsec in your domain. For instance you could put a server in
an OU that does not have any ipsec policy for it or only for specific
computers. Then sensitive servers that should never be accessed by that
server [other than domain controllers] could have a require ipsec policy
configured with an ipsec policy that is not compatible with the server in
the OU. Ipsec is somewhat complicated and should not be implemented without
thorough testing to prevent domain crashing and the link below is a great
read on using ipsec. Of course all other security best practices such as
patch maintenance and disabling unneeded services need to be followed. In my
opinion using security best practices AND maintaining them you can minimize
the chance of a compromised domain computer from escalating itself within
the domain which usually happens because of sloppy security practices. I
often here those that boast that give them access to a domain computer and
they will own your domain in a few hours. When I ask them to detail how with
specifics they never reply however. --- Steve

http://www.microsoft.com/technet/security/topics/architectureanddesign/ipsec/ipsecch1.mspx
 --- ipsec domain isolation

"Marlon Brown" <nomail@brown.com> wrote in message
news:Oi0pCknoFHA.2904@tk2msftngp13.phx.gbl...
> Imagine I have a server in the "DMZ" that is joined to the domain. Then
> such server gets compromised. How much damage will the attacker make on
> this computer due to the fact that this is a machine joined to the domain
> ?
> In my view, I thought that placing servers in a "workgroup" in the DMZ
> would make sense, but any server that is joined to the domain in the DMZ
> could expose more information, and therefore should be kept "inside" the
> network. Please advise if you can.
>



Relevant Pages

  • Re: SBS Server keeps shutting down
    ... as we have had a few power cuts recently and the server kept chugging along. ... I have no idea what IPSec is ... multiple reboot mentioned above and some other troubleshooting steps ...
    (microsoft.public.windows.server.sbs)
  • Re: L2TP/IPSec Verbindung läuft mit XP SP2 nicht mehr
    ... In XPSP2 the IPsec driver needs a registry setting when either the ... server or workstation are behind a NAT gateway. ... 1- Client initiates to a server that is behind the NAT ... > Peer Private Addr ...
    (microsoft.public.de.german.windowsxp.networking)
  • Re: Should I install Certificate Authority to solve these problems ?
    ... You can use IPsec with or without certs from your PKI. ... negotiations to your AD machines or those trusting the ... > In the item 1 below, the tool in use is a HP server management tool (type ... >>> Management is pushing to get Certificate Authority ...
    (microsoft.public.win2000.security)
  • Re: Still having firewall issues
    ... Microsoft CSS Online Newsgroup Support ... How many subnets are in your SBS internal network? ... |> 4) Click Add Adapter and then select Server Local Area Connection. ... |> to the same internal default gateway address as the ISA Server computer. ...
    (microsoft.public.windows.server.sbs)
  • Re: SP1 install and win2k3 server 2003
    ... server what other programs/drivers are loaded if AV was or not installed on ... I'm not going to install SP1 again until I know what went wong, ... IpSec are not blocking the system connetivity. ...
    (microsoft.public.windows.server.general)