Re: ActiveDirctory security questions

You can post in the security newsgroups too but many of us scan both.

Let me rephrase your questions/comments:

Q: What is the god security context?

A: LocalSystem. Localsystem has more rights over the local machine than any other account.

Of the secprins you list (your 1-4 list), they have different rights at different levels. Any ONE of those groups (and also even lesser powered groups that have interactive access to DCs) can escalate to any level of permissions in a forest. The security boundary of AD is the forest, not the domain like it was in NT4.

When you say DAs have full control only because they are in #2, I assume you mean control over DCs for non-AD functions? If so, yes, DAs and EAs do not have power over the hardware, all of the permissions are delegated in the directory. This was the same as it was in NT4. In fact, the only purpose of domain admin in NT4 was as a group that could be placed in the builtin admin groups of member machines, otherwise the administrator ID had full control over everything on the DC including the SAM.

I am not sure why you are thinking you should lock down the various Admin IDs and localsystem. It is pointless. You protect those by not giving them out except to just a couple of people. For instance I ran a Fortune 5 AD and we had 4 Domain/Enterprise Admins. No one else had any local or management access to the 400 DCs around the world. Site admins got very limited delegated rights on specific objects/containers.

The vast majority of services running on any machine, run as localsystem. However since AD runs in localsystem, it doesn't matter about the others. LocalSystem account has complete and utter control over AD if someone compromises a DC, that is why you don't use DCs for a bunch of functions, you make them DCs and you don't let people mess with them. You don't let anyone but domain admins log into DCs, you don't let anyone but domain admins manage the file system or services of DCs, etc.

   joe



--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


mschunk@xxxxxxxxxxxx wrote: 

I want to lock down AD, really hard...and delegate authority to a
select few OU's that contain most of the users/computers/groups. (I'm
growing leery of using the term "delegate authority" now that I'm
understanding more about controlling security to AD objects by hand.)

What is the "godly" group/account?

1) Administrator
2) Administrators
3) Enterprise Admins
4) Domain Admins

I'm starting to think the only correct answer is #2.  The "Built-in"
Administrators group.

I just learned that #1 is wrong.  By "default" the (local)
Administrator on the DC is a member of #'s 2,3, and 4 above...and it
does not HAVE to be that way.

Enterprise Admins, and domain Admins...seams to have full control only
because they are member of #2.

Can anyone confirm this?

Next question...the SYSTEM account.

it looks like the NT "SYSTEM" account is getting full control, by
default, of every single object created.  But this permission is being
applied explicitly to every single object...not by inheritance.

This bothers me!  To me, this means that ANY code that is executed in
the context of the SYSTEM account has full control of active directory.
 Many services running on the DC fall into this category.  Or am I
mistaken, and the "local system" account so many services are running
under actually something different?

Is there a better newsgroup for security-specific issues w/ AD?

Thank you for your time.

.

Relevant Pages

  • Re: Active Directory Admin privileges
    ... The solution therefore as to come from MS and the best attempt at it is coming out of Redmond in Longhorn and is called Read Only DCs with delegated administrator. ... Forests, regardless of the number of domains, should have one small set of domain admins who are also enterprise admins who do management of all DCs. ... No one else should have any builtin rights such as account operator or server operator or even local logon onto Domain Controllers. ... Any time an admin in a child domain wanted access to sensitive material back at corp hq they could have gotten that access unless you were using some form of third party encryption that has no dependence on Windows security. ...
    (microsoft.public.security)
  • RE: software to control domain administrators
    ... "Does anyone know any software to control, audit, or restrict access or privileges to domain administrators." ... I will restate my mantra differently, If you can not trust someone to be in a position of complete un-adulterated control of your network, then they should not be in that position. ... >(assuming we are talking about NT/AD Domain Admins) ...
    (Security-Basics)
  • RE: software to control domain administrators
    ... there are ways to control the permissions any given ... which Domain Admins can do. ... The application itself runs as the user "root" and can be configured by ...
    (Security-Basics)
  • Re: Win 2008 - Error when setting up an authoritative time server
    ... Even domain admins are not having full control by default. ... When an administrator logs on to a computer running Windows Vista or Windows Server 2008, the user is assigned two separate access tokens. ... check out and TEST the GPO, Computer configuration, windows settings, security settings, local policies, security options, "User account control: Behavior of the elevation prompt for administrators in Admin Approval Mode", choose "Elevate without prompting". ...
    (microsoft.public.windows.server.general)
  • Re: Default Users properties
    ... The administrator, domain admins, and enterprise admins have everything but ... full control, system has full control, authenticated users has read, ... everyone has change password, and if present the pre-2000 group has read. ...
    (microsoft.public.win2000.security)
Quantcast