Re: physical security

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Mike Brannigan [MSFT] (mikebran_at_online.microsoft.com)
Date: 10/24/04 

Date: Sun, 24 Oct 2004 13:10:26 +0100

"Z" <z@z.com> wrote in message
news:%23lIYsPZuEHA.1452@TK2MSFTNGP11.phx.gbl...
> Mike,
>
> The main question is: Are there tools to hack the ntds.dit? Are there
> tools which allows to raw read / write the ntds.dit? Why is it important?
> For example if I am a hacker and I have a physical access I will capture
> the incoming network traffic even restart the DC and stole the ntds.dit if
> any POC tools are not available now. In my environment I will implement
> the IPSec, so I will mitigate the risk.
>
> BTW: in Windows Server 2003 the syskey is enabled by default (method 1) if
> remember correctly. Is it helps me?
>
> Thank you for your answer,
>

As I said it is not appropriate to discuss tools or techniques in a public
forum.
You are aware that the attack surface exists. The mitigation of this risk
does not require you to have any knowledge of the tools or techniques.
You must ensure physical security of your DCs. 

-- 
Regards,
Mike
--
Mike Brannigan [Microsoft]
This posting is provided "AS IS" with no warranties, and confers no
rights
Please note I cannot respond to e-mailed questions, please use these
newsgroups
"Z" <z@z.com> wrote in message 
news:%23lIYsPZuEHA.1452@TK2MSFTNGP11.phx.gbl...
> Mike,
>
> The main question is: Are there tools to hack the ntds.dit? Are there 
> tools which allows to raw read / write the ntds.dit? Why is it important? 
> For example if I am a hacker and I have a physical access I will capture 
> the incoming network traffic even restart the DC and stole the ntds.dit if 
> any POC tools are not available now. In my environment I will implement 
> the IPSec, so I will mitigate the risk.
>
> BTW: in Windows Server 2003 the syskey is enabled by default (method 1) if 
> remember correctly. Is it helps me?
>
> Thank you for your answer,
>
> Z
>
>
> "Mike Brannigan [MSFT]" <mikebran@online.microsoft.com> wrote in message 
> news:ebTXb9XuEHA.2828@TK2MSFTNGP12.phx.gbl...
>> "Z" <z@hotmail.com> wrote in message 
>> news:eWKHxGTuEHA.3016@TK2MSFTNGP12.phx.gbl...
>>> Hi All,
>>>
>>> Earlier I heard about that the offline Active Directory database attack 
>>> is possible and some tool is availabel to this attack.
>>> I would like to read more about this attack surface. Can someone point 
>>> me to the right direction?
>>> I think it is a real threat in a branch-office environment, where is the 
>>> physical security insufficient.
>>>
>>
>> We really don't need to go into the attack surface in public - the basic 
>> points are covered as follows :-
>> If you have anywhere where you think your physical security is lacking 
>> the you should not place a domain controller there.
>> Doing so risks your entire Active directory forest to attack.
>> If you cannot guarantee the absolute security of the DC then you should 
>> not place one there or reconsider your forest design or local physical 
>> security.
>>
>>
>> -- 
>>
>> Regards,
>>
>> Mike
>> --
>> Mike Brannigan [Microsoft]
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights
>>
>> Please note I cannot respond to e-mailed questions, please use these
>> newsgroups
>>
>> "Z" <z@hotmail.com> wrote in message 
>> news:eWKHxGTuEHA.3016@TK2MSFTNGP12.phx.gbl...
>>> Hi All,
>>>
>>> Earlier I heard about that the offline Active Directory database attack 
>>> is possible and some tool is availabel to this attack.
>>> I would like to read more about this attack surface. Can someone point 
>>> me to the right direction?
>>> I think it is a real threat in a branch-office environment, where is the 
>>> physical security insufficient.
>>>
>>> Thanks,
>>> Z
>>>
>>
>>
>
>
Quantcast