Re: Is it possible to prevent ownership replacing in a forest?

From: Miha Pihler [MVP] (mihap-news_at_atlantis.si)
Date: 01/13/05

• Next message: erman: "let a user run a software from remote location problem"
• Previous message: Randy Franklin Smith [MVP]: "One other thought"
• Maybe in reply to: Gera: "Is it possible to prevent ownership replacing in a forest?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 13 Jan 2005 11:31:36 +0100

>> There are quite few attacks
>> against the forest possible if users have physical access to domain
>> controllers even if these domain controllers are only for child domain.
>> If
>> these users are also (child) domain administrators these attacks can be
>> carried out in even simpler manner. Child domain administrator could take
>> ownership of the forest...
> Could you outline how it could be done? My personal mail is
> gera@lukrecija.lt
> Is it regular way using standard tools or some type of hacking
> manipulating
> SID history and a like?

As you mention SID history it is one of the easiest ways to become
Enterprise Administrators. There are tools available that will do most of
the work for you. All you need to do is reboot the server (which would
usually require physical access to the server. It is also possible to do
this over IP switch (KVM over IP) even if you don't have physical access...)

So few things to consider when planning your domain/forest:
* Physical security of the servers (also protection of boot sequence, ...).
* If you need high(er) security of your environment (and you can't trust
your administrators) think about multiple forests and trusts between the
forests.

Using Security Identifier (SID) Filtering to Prevent Elevation of Privilege
Attacks
http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp

-- 
Mike
Microsoft MVP - Windows Security 

---

• Next message: erman: "let a user run a software from remote location problem"
• Previous message: Randy Franklin Smith [MVP]: "One other thought"
• Maybe in reply to: Gera: "Is it possible to prevent ownership replacing in a forest?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Site or Domain ... Domain aren't security Boundaries, ... forest, and they are not themselves the ultimate security boundary. ... Each Active Directory domain is authoritative for the ... Domain controller hardware and security facilities Each Windows Server ... (microsoft.public.windows.server.active_directory) RE: Active Directory network security ... >Subject: RE: Active Directory network security ... >X-Mailer: Microsoft Outlook, Build 10.0.2627 ... In fact the only true security boundary in AD is a forest. ... >Domain Admins must be fully trusted. ... (Focus-Microsoft) RE: Active Directory network security ... In fact the only true security boundary in AD is a forest. ... Domain Admins must be fully trusted. ... use group policies like crazy. ... (Focus-Microsoft) Re: Reasons for Empty (headless root) Root ... I am very interested in learning more about how the security is between domain and domain vs forest. ... I quickly and easily compromised a root domain from a child domain for the first time in about May 2000 showing how simple it was and nothing has changed. ... Domains are sort of a replication boundary, the config and schema replicate across all DCs in a forest and also obviously GCs replicate across domain NC boundaries. ... (microsoft.public.windows.server.active_directory) Re: Reasons for Empty (headless root) Root ... I am very interested in learning more about how the security is between ... forest is a security boundary, ... across domain NC boundaries. ... normally have had free reign to do things in the root, ... (microsoft.public.windows.server.active_directory)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)