Re: Grant Administrative Access to a Domain Controller
- From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
- Date: Thu, 28 Dec 2006 11:16:25 -0500
Hopefully no one will tell you specifically how to break into AD. I will not publish anything I know about it that I have found either through experimentation, real life, or browsing of the source code until we are in a position where we can deploy something that is safe from the exploits.
It isn't something that can be stopped so going around talking about the specifics is careless and silly and outright stupid. Anyone with a good understanding of AD and Windows security will easily see ways of compromising the environment. For those who don't see it, that is fine, just don't mistake your inability for the fact that what you do is secure.
The thing that every AD admin needs to know is
1. Do not give enhanced rights to Domain Controllers to anyone you don't trust with Domain and/or Enterprise Admins.
2. Do not put Domain Controllers in physically insecure areas.
3. If a Domain Controller is down for an extended period and you don't know why and you don't control its physical access 100%, be very concerned about it when it comes up.
If you don't understand why these things are important, that is fine, just live by them anyway. Just know that minimal access can be parlayed into even more access and try as you might, you cannot secure Active Directory from people with server operator or admin or several other levels of access rights on a DC. The only people who should have access to a DC are Domain Admins. Period.
> should I or any other reader of this post should trust in
> any of you IF YOU DON'T SAY WHY IT CAN'T BE DONE... AND
> HOW CAN YOU PASS THAT SECURITY. You
> said it can be done without any fancy tricks or tools,
> if so EXPLAIN how without trying to LOL other guys that
> are trying to help. I should trust you
> just because you're an MVP?? I don't think so...
>
OK, I guess that is a valid point, don't trust us because we are MVPs. How about this... What are the consequences of either side being wrong on this? If Jorge and myself are wrong, what is your exposure? Let's see, you simply have not given out rights to people you don't trust with Domain Admin rights so you are no more insecure than you are with your current set of domain admins... If the ScriptLogic guys are wrong, what is your exposure? You have people who now have the ability to block you from your own directory... Why do I know they can do it? Because you are questioning whether or not this can be done so it is obvious you don't know how to do it.
If you want to validate myself and Jorge or for that matter anyone out in the newsgroups, go google for our posts and read them. Go check out our websites. You have a group of people who say, sure you can do this with our tools and you have a group of people who have been freely helping people solve problems in the Windows spaces for years and years.
>
> Saying that is wrong is very easy, but explain why it's wrong can be
> harder...
>
No it isn't hard to say how it is wrong, it is very easy but it is very stupid to publish as well.
Jorge walks through step by step with some of the reasons the ScriptLogic guy is in left field, he touches a little close to things that shouldn't be talked a lot about but it should be more than enough to show that they are working on broken assumptions.
If you need more than that, tough, you aren't getting it from us. Feel free to implement what is listed and then pray hard that someone who actually understand AD doesn't get brought in because either they will just walk through the security and do what they want or they will make you look very bad when the security report goes to the execs.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
JWilliams wrote:
That was not kind or funny. But the main question here is how??.
MPerrault is giving us his perspective and detailed information about how things could be done.
Is it right? Is it wrong? Probably...
But for those that only say IT CAN'T BE DONE and NO WAY, etc...!!!
It would be better to explain why it can't be done, instead of saying something like YOU DON'T KNOW ANYTHING ABOUT THIS AND ABOUT THAT... etc... I should I or any other reader of this post should trust in any of you IF YOU DON'T SAY WHY IT CAN'T BE DONE... AND HOW CAN YOU PASS THAT SECURITY. You said it can be done without any fancy tricks or tools, if so EXPLAIN how without trying to LOL other guys that are trying to help. I should trust you just because you're an MVP?? I don't think so...
Arguments like: "I have "broken" into several ADs that were allegedly locked" and "I know many MS guys" and "I'm too good", etc.. etc.. etc... Aren't good arguments in my opinion.
Saying that is wrong is very easy, but explain why it's wrong can be harder...
I also want to say that I now that Joe and Jorge,etc... are very helpful in this news groups, but honestly this type of arguments are just not good enough...
If you have something to say you should explain your point of view, otherwise shut up...
I'm sorry if I was too rude. But...
And please (if you have anything to say), explain how can you by pass MPerrault suggested security, you said "IT CAN BE DONE WITHOUT ANY FANCY TRICKS OR TOOLS", so why don't you share it instead of saying other crappy things.
"Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx> wrote in message news:epDBA0jKHHA.3872@xxxxxxxxxxxxxxxxxxxxxxxAh that was probably mean.
It bothers me greatly that a company that produces tools for AD including Security type tools has support people that have such a core misunderstanding of AD security and they take the time to post their misunderstandings in a public forum in a seemingly authoritative way.
Again, it is not possible to give admin rights to a single DC or even a set of DCs and then lock those same people out of AD. AD is a subordinate service on a DC meaning an Admin can muck with it in any way they want whenever they want regardless of the permissioning in the directory that you think can be done to prevent it. The fact that your tests show this to be the case illustrates your short comings and lack of understanding versus any AD Security capability.
This isn't something I am guessing about. This is something I know because I have "broken" into several ADs that were allegedly locked down. This is without any fancy tricks or tools. The fancy tricks and tools just make it take seconds instead of minutes. This is something I know also because I have spoken to many of the best AD folks inside and outside of Microsoft including the Dev team over the last 6 years and this is a known weakness in all circles. Again this will be helped a little with Longhorn server, but it still won't be solved for the general case.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Joe Richards [MVP] wrote:You know as little about Active Directory and Domain Controllers as your coworker.
Seriously, where are you guys coming from?
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
mfarr wrote:Archi one other thing . .
To clarify, this user cannot be a member of the domain admins group,
but shouldn't be if they are not managing AD. Use the capability of AD
to delegate the appropiate rights.
Matt
mfarr wrote:Archi,
My colleague Mike is correct in saying you can deny access to Active
Driectory but still allow logon to the DC's. To do this, delegate read
only rights to your restricted administrator to everything within AD
then add that user to the list of accounts that can log on locally to
the dc within the Domain Controller Security Policy. Within the Domain
Controller Security Policy are also options to log on as a service,
etc for management functionality.
I recommend checking out Active Administrator from Scriptlogic to
handle the delegations of control within AD. With Active Administrator
you can easily configure these restricted permission within AD for your
admins via permissions templates that even self heal. Good luck.
Matt
Archi wrote:We have a group Domain Server Operators and we need to give them admin rights
to domain controllers to restart services, install software and etc. But they
should not have rights to Active directory
"Jorge Silva" wrote:
Hi
Can you explain exactly what do you need to do?
also have a look at :
Step-by-Step Guide to Using the Delegation of Control Wizard
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/ctrlwiz.mspx
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE
"Archi" <Archi@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:24F63807-E425-4294-AFFD-6A36ACD3DB97@xxxxxxxxxxxxxxxx
I need to give admin access to domain controllers for a certain domain
group
but without accessing Active directory.
Any options?
- References:
- Re: Grant Administrative Access to a Domain Controller
- From: Jorge Silva
- Re: Grant Administrative Access to a Domain Controller
- From: mfarr
- Re: Grant Administrative Access to a Domain Controller
- From: mfarr
- Re: Grant Administrative Access to a Domain Controller
- From: Joe Richards [MVP]
- Re: Grant Administrative Access to a Domain Controller
- From: Joe Richards [MVP]
- Re: Grant Administrative Access to a Domain Controller
- From: JWilliams
- Re: Grant Administrative Access to a Domain Controller
- Prev by Date: ADAM replication via LDAP
- Next by Date: Re: ADAM replication via LDAP
- Previous by thread: Re: Grant Administrative Access to a Domain Controller
- Next by thread: Re: Grant Administrative Access to a Domain Controller
- Index(es):
Relevant Pages
|
