Re: Escalate privileges possible on DC?

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 05/08/04 

Date: Sat, 08 May 2004 01:11:00 GMT

In a forest there are transitive trusts between all the domains. However just because
someone has access to a domain controller in a domain does not mean they can
compromise another domain UNLESS it is the root domain which is where the enterprise
admins group is. What makes the root domain special is that it contains the
enterprise admins group which is in the administrators group of every domain in the
forest. Of course anyone gaining access to a domain controller can compromise the
domain for that domain controller and possibly other domains if the domain they
compromise has users that have administrative powers in other domains.

One strategy if an organization wants to keep a single forest is to use an empty root
domain that only contains the administrator which would also be a member of the
enterprise administrator. That domain's domain controllers would need to then be very
secure physically and only a few key people would know the password keeping it secure
in a safe. --- Steve

http://www.winnetmag.com/Article/ArticleID/23521/23521.html --- empty root domain.

"John Howard" <anonymous@discussions.microsoft.com> wrote in message
news:9D63EDEA-3CD7-4907-A48E-FA288205DEB8@microsoft.com...
> We currently have about 200 domains in a single forest. This spans about 100
countries.
> One of our concerns with this design is that an administrator in one domain can
gain access to other domains (gaining enterprise admin rights). As far as I
understand it, local system, local administrators, and any domain account with server
operator privileges can do this if they have access to a DC.
>
> First off, is it true that this attack is possible?
> Secondly, what are you experiences with other setups (multiple forests, a single,
large domain etc.)?
>
> TIA,
>
> - JH

Relevant Pages

  • Re: Remove domain with no domain controller
    ... Is the account you are logging on with a member of Enterprise Admins? ... For example, even if you are an administrator in domain A, you don't have ... permission to delete a domain controller in domain B. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Cannot run ForestPrep
    ... >preparation to installing Exchange Server 2003 on a Windows Server 2003 ... >Microsoft Exchange Forest Preperation cannot be assigned the action ... >is a member of the following groups, Enterprise Administrator, Schema ... >I have also made sure that the domain controller has all the required FSMO ...
    (microsoft.public.exchange.setup)
  • Re: PLEASE HELP ME, THIS IS 3RD POST ALREADY
    ... I have a default domain controller policy. ... in as administrator, and administrator is a member of ... enterprise admins. ...
    (microsoft.public.win2000.active_directory)
  • Re: Sites or Domains
    ... administrative requirements,Optimize replication traffic,Retain Microsoft ... Security principals As domains are added, ... Domain controller hardware and security facilities Each Windows Server ... catalog in the forest, preferably in the same Active Directory site. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Sites or Domains
    ... number 1 concern would you go single or multi domain. ... Replication, Wins Replication's Replication, etc. ... single Enterpise Win Nt4 strcutures to a W2K3 Single forest / ... Domain controller hardware and security facilities Each Windows Server ...
    (microsoft.public.windows.server.active_directory)