Re: Server 2008 Domains - Security issue

Svyatoslav,

Thanks for replying. I fully understand what you are saying. Best practice
for us will to ALWAYS use bitlocker on every server.

Just some things worth noting though. The existing 2003 "recovery" technique
you pointed out is substantially more difficult to perform. Secondly, with
the 2003 technique you cannot create secret accounts or elevate an account
without leaving a tell. That being the reset of the Administrator's
password. So the tell for a network admin is that he is not able to log on.

The "modification" I have blogged is way easier to do and allows you to do
things that could be very hard to spot. Access rights to OUs or computers
etc.

All the same, I think that the ability to launch a SYSTEM level process by
an anonymouse user is bad form.

Thanks for the feedback though.

Dean


"S. Pidgorny <MVP>" <slavickp@xxxxxxxxx> wrote in message
news:u3AJ%23vhbIHA.4180@xxxxxxxxxxxxxxxxxxxxxxx
Yes, you can compromise Windows 2008 domain if you have physical access to
the DC. The mitigation is using Bitlocker, included in all versions,
except for Web.

I must admit, this is a nice document with pictures and 2008-tailored
approach. The thing is, Windows 2000 and 2003 domain controllers can also
be compromised using bootable media (you change domain services restore
mode password, and you go from there - see
http://www.petri.co.il/reset_domain_admin_password_in_windows_server_2003_ad.htm).
So no news there.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"Dean Brighton" <dean.brighton(AT)@didata.com.au> wrote in message
news:%23q6NG$bbIHA.4712@xxxxxxxxxxxxxxxxxxxxxxx
Hello,

With any luck, the people who hang around in this security group will
know the significance of being able to take over an entire Server 2008
domain, from any domain controller on the network? No need for passwords,
no need for special tools or code.

Have a look at this.
http://labcontrol.blogspot.com/2008/02/this-post-is-purely-for-information.html

And please do NOT post that you could use PE to gain access to the local
server data. Everyone knows that. The significance here is being able to
compromise an entire Server 2008 Domain.

Dean






.

Relevant Pages

  • Re: Sicherung vor Diebstahl
    ... Thomas Raasch schrieb: ... PC-Technik inklusive Server entwendet. ... BitLocker an. ...
    (microsoft.public.de.german.windows.server.general)
  • Re: SSH as root
    ... Subject: SSH as root ... but it doesn't require having a key on the server that could be ... If they compromise a server, and the passphrase, etc. is there, they only ... private key to anyone. ...
    (SSH)
  • RE: Restrictions on internet access
    ... which means the ISA server is used as the Proxy server in Web ... Service of ISA and benefit from the Caching function of the Web Proxy ... Enter a name for this Access rule, for example: 'deny specific internet ... In addition, to add a security group, we can use the SBS Server Management ...
    (microsoft.public.windows.server.sbs)
  • Re: Ten least secure programs
    ... djbdns) or no history of anything major or that would compromise the ... remote exploits, though these are all multi-user systems that I speak of, ... Server administration, security, programming, consulting. ... marketshare. ...
    (Security-Basics)
  • Re: User access & security
    ... rootkit of some sort and totally compromise the system. ... you want your users to be able to do (permissions permissions ... server - must be OK!" ...
    (comp.os.linux.security)