Re: DC Admin question
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Sat, 20 Jan 2007 15:33:41 -0700
I think we are standing on the same hill.
Per the original post, I am still with, it is all in the "etc".
Centrally define the shares and allow mgmt of their content
via mapping, place the print queues on a workstation, and
hope to find ways to address each other "etc".
Roger
"Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx> wrote in message
news:Oo8PKXNPHHA.4368@xxxxxxxxxxxxxxxxxxxxxxx
It is just this part on which I am presently withholding judgement
Yep, until we get it out in the real wild and people get to really beat
against it, who knows where we will go. Though from my talks with the DS
guys, I think they are doing a bang up job to plug the holes. The only
thing (outside of the previously mentioned poor secret caching policy) I
could think of right now that could possible cause an issue from an RODC
would be if the person already had access to the directory and could find
some way to force the replication. Obviously if they have that, they don't
need the RODC at all.
I have nowhere advised poster to give the local tech anything
other than a domain user account, but to find ways to let that
do with the remote office needs.
Understood, but I think even granting local logon is going too far. There
are exploits that have come out that simply required local interactive
access to allow for escalation and in addition, not everyone is very good
at locking machines down against local access. The security model really
is based on the non-trusted folks being on the outside of the box tapping
against network interfaces, not the inside.
If someone needed to manage file shares, I would say, there are these X
shares on the server. You don't get to manage those, but I will let you
manage the NTFS perms under that, but you do it through the shares.
Printers would be right out, wouldn't let them get near it. Not just from
the obvious security issues of allowing someone to install a kernel level
component but just from the fact that printers can be quite unstable
resources, I would be very careful what printers get put on DCs, actually
I would prefer no printers on DCs nor even queues, today's corporate
printers don't need them, they can do most all of that internal. Every
externally available handle on a DC I can kill I kill as every single one
is a possible vector for attack.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Roger Abell [MVP] wrote:
"Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx> wrote in message
news:eNMYXuMPHHA.1248@xxxxxxxxxxxxxxxxxxxxxxx
Personally, I think there is a middle ground between the "if theySure there is for people, but likely the person you aren't giving the
are evil and if they are not". If they are well intended, and
would not elevate themselves, then they may be careful or
wreckless as far as exercise of administrative empowerment.
enhanced rights to is for some, likely good, reason. Maybe that person
isn't evil intending but just a little sloppy and maybe runs something
that is evil intending and/or far more informed about how Windows works
than the person running the app. Maybe that person gets pushed over the
edge and does evil things. I don't think anyone is positively evil and
anyone is positively good, they are a mixture with the part showing that
reflects their current mood and circumstances. Even god fearing fathers
of 8 angelic children can be pushed into doing things truly bad by
circumstances. This is something that needs to be taken into account
when offering up any forms of trust. Much better to disallow someone
from having any ability to harm you than trust that they won't.
True enough for a human factors analysis.
I was also trying to move toward ways to meet the use cases
of the poster without having to deal with giving out admin, which
actually was the middle ground I was meaning here, alternative
solutions to the unacceptible obvious one of giving admin.
Giving someone local logon to a DC or any server opens up far more
vectors for attack. The Microsoft security model prior to Vista is such
that if you are on the console, you are pretty highly trusted. I.E. I
have let you into my house and most doors in the house aren't as well
locked as the door to get into the house. Of course MSFT has another
level of insecurity in terms of if you can stand in the same room with a
machine and can work on it unhindered you can own it as well. There is
really nothing realistic you can do about that at the moment, hopefully
Bitlocker will help there in Longhorn so right now it is a risk with any
DC in an unsecured location and by unsecured I mean in a location which
is accessible to someone who isn't fully trusted end to end with the
machine. Still that is more acceptable to me as a risk than giving
someone local logon rights. There is no chance for accidental compromise
if a box is simply physically in the same room as you, someone must take
proactive purposeful steps to initiate the compromise which is much
easier to prove.
Not really. The read-only DC will just protect AD.Correct, it is to protect AD but that is the primary issue with the DCs
people want to delegate rights off too... AD is at risk. The RODC will
protect the forest in that you can assign admin rights to a single DC
and theoretically, for now, there is no way to do anything on that one
DC to escalate yourself further into the forest. Obviously you will be
able to do anything you want to the DIT on that specific DC and anyone
in that site using that DC will be at risk. This is far better than what
we have now. Now admins will have the option of putting themselves at
risk with how they manage the secret caching policy like for instance if
they say, yeah, cache admin passwords on DCs, then someone who is made
an admin of that DC will be able to retrieve the hash and go from there.
It is just this part on which I am presently withholding judgement
and theoretically, for now, there is no way to do anything on that oneas it is quite difficult to see a waterproof block on getting system.
DC to escalate yourself further into the forest.
If I am responsible for a forest, there is nothing that could get me to
give rights to a non-DA for DCs, that would be a quitting offense for
me. I would assume the work load and most likely automate it or set it
up to work through some web based proxy admin tool that I bought or
wrote. I have done that in the past, it makes for more initial work for
me up front but down the road things are much more secure and my life is
much easier because I don't have questions or confusion or doubt in my
mind about what might or could have happened when something goes pear
shaped. The current consequences of giving folks enhanced rights on DCs
who aren't actually responsible for the forest as a whole is too high
with the current security model for my tastes.
Sure Joe - but just stating to poster that they have no solution,
which is true when considering only achieving their deployment
objective (manage shares on DCs, install printers on DCs), is
not looking at the use case needs and alternative fulfillments.
I have nowhere advised poster to give the local tech anything
other than a domain user account, but to find ways to let that
do with the remote office needs.
Roger
.
- References:
- DC Admin question
- From: jim
- Re: DC Admin question
- From: Roger Abell [MVP]
- Re: DC Admin question
- From: Jesper
- Re: DC Admin question
- From: Roger Abell [MVP]
- Re: DC Admin question
- From: Joe Richards [MVP]
- Re: DC Admin question
- From: Roger Abell [MVP]
- Re: DC Admin question
- From: Joe Richards [MVP]
- DC Admin question
- Prev by Date: Re: DC Admin question
- Next by Date: Re: Domain Local Security vs Global Security vs Universal Security Groups
- Previous by thread: Re: DC Admin question
- Next by thread: IAS EAP - TLS Policies question
- Index(es):
Relevant Pages
|
|
