Re: If you hack a server joined to domain, how much info can you get ?
From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 08/16/05
- Next message: N. Miller: "Re: Hotmail Security"
- Previous message: Miha Pihler [MVP]: "Re: Code Signing - Deciding between Thawte and VeriSign"
- In reply to: Marlon Brown: "If you hack a server joined to domain, how much info can you get ?"
- Next in thread: Roger Abell: "Re: If you hack a server joined to domain, how much info can you get ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 16 Aug 2005 12:31:28 -0500
It depends. Some create a separate forest in the dmz and then create a one
way trust to the internal network where the internal network is the trusted
domain.
Keep in mind that potentially the only thing keeping anyone from owning a
domain is the password of a domain admin. Having said that there are things
you can do to mitigate the risk of a domain computer being compromised to
escalating damage in the domain. The first is to make sure that domain users
are forced to use strong passwords. Weak passwords are still the biggest
single threat to any network. Require that any domain administrator uses a
smart card logon and their user account requires a smart card logon which
can increase security immensely. Then train domain administrators to NEVER
user there domain administrator credentials on any domain
workstations/server other than those that are known to be secure such as a
physically secured admin workstation. The risk is that a compromised domain
computer could easily use those domain administrator credentials to own the
domain. Never use a privileged domain account for a service on a domain
computer such as you describe. Frequently audit the membership of the
various administrator groups for the domain and consider using Restricted
Groups to enforce membership of those groups.
Consider using ipsec in your domain. For instance you could put a server in
an OU that does not have any ipsec policy for it or only for specific
computers. Then sensitive servers that should never be accessed by that
server [other than domain controllers] could have a require ipsec policy
configured with an ipsec policy that is not compatible with the server in
the OU. Ipsec is somewhat complicated and should not be implemented without
thorough testing to prevent domain crashing and the link below is a great
read on using ipsec. Of course all other security best practices such as
patch maintenance and disabling unneeded services need to be followed. In my
opinion using security best practices AND maintaining them you can minimize
the chance of a compromised domain computer from escalating itself within
the domain which usually happens because of sloppy security practices. I
often here those that boast that give them access to a domain computer and
they will own your domain in a few hours. When I ask them to detail how with
specifics they never reply however. --- Steve
http://www.microsoft.com/technet/security/topics/architectureanddesign/ipsec/ipsecch1.mspx
--- ipsec domain isolation
"Marlon Brown" <nomail@brown.com> wrote in message
news:Oi0pCknoFHA.2904@tk2msftngp13.phx.gbl...
> Imagine I have a server in the "DMZ" that is joined to the domain. Then
> such server gets compromised. How much damage will the attacker make on
> this computer due to the fact that this is a machine joined to the domain
> ?
> In my view, I thought that placing servers in a "workgroup" in the DMZ
> would make sense, but any server that is joined to the domain in the DMZ
> could expose more information, and therefore should be kept "inside" the
> network. Please advise if you can.
>
- Next message: N. Miller: "Re: Hotmail Security"
- Previous message: Miha Pihler [MVP]: "Re: Code Signing - Deciding between Thawte and VeriSign"
- In reply to: Marlon Brown: "If you hack a server joined to domain, how much info can you get ?"
- Next in thread: Roger Abell: "Re: If you hack a server joined to domain, how much info can you get ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
