RE: [ActiveDir] Taking DC Offline

[GRILLENMEIER,GUIDO (HP-Germany,ex1)]

In a way you should be happy they asked you, before just running a password guessing tool against the domain...  Ofcourse that won't necessarily be destructive - unless you have configured Account Lockout for X nr. of logons, which I always consult my customers to do.   But if your AD domain spans multiple countries/locations or simply a large population of users (which might previously have been separate NT domains) - you're suddenly very vulnerable afterall...  I've seen auditors from one location run their magic tools unanounced to any admin against the AD domain spanning the United States - voila, just like an attack from a hacker, that domain was quickly seizing to work for any user with logins and eMail etc. failing all over the place (thankfully admin accounts were hidden in AD and thus not known to the tool used by the auditors)   Wasn't hard to find the issue and yell at the folks - but try to quickly revert the status of many hundreds of locked out users...  So now we're prepared for these situations via a scripting solution - I would suggest everyone to prepare something for their own environment as well. Nothing like being caught off guard.   /Guido From: Simpsen, Paul A. (HSC) [mailto:[EMAIL PROTECTED] Sent: Montag, 7. Juli 2003 03:25 To: [EMAIL PROTECTED] The whole purpose of this is all political. It has already been decided to enable password complexity but to help make the campus more agreeable ( we are an edu!) our Security director wants to shoot them some stats. The % of PW’s that they could crack, etc… Why this is good for you, you know the deal. I’m still hoping my boss will see the light and just say no! J Thanks for all the responses, there might be some other options. Paul     -----Original Message----- From: Rick Kingslan [mailto:[EMAIL PROTECTED]] Sent: Friday, July 04, 2003 4:51 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Taking DC Offline   Paul,   I'm somewhat mystified by the request.  I might be completely missing the point, but unless the scan is going to be destructive, what is the value of giving the Security Director a DC that has been taken off-line?  I do agree with what others have said here to this point (remove connection objects, clean up the objects from the DIT via NTDSUTIL, etc.), but the value of the work that is being done is still questionable.  The DC is no longer in your environment, which from the standpoint of testing the security or the password complexity, makes it no longer a viable environment to do such.   And, if the process is going to be destructive, is this something that they will want to do on a quarterly basis (again with questionable value in the security realm)?  Also, do your Security Analysts already have Administrative context access?  If not, all passwords of this type should be nulled out.  Even if they do - those that are not theirs should be erased as well.   Rick Kingslan  MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone       From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simpsen, Paul A. (HSC) Sent: Thursday, July 03, 2003 4:32 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Taking DC Offline Our Security Director has requested that we build a temporary DC for his group. They want to take it offline and audit the current password complexity and strength. This DC will never return to the domain so I will have to manually remove the replication connections in the NTDS settings for each repl partner, plus the DNS records created. I’m just wondering if I’m missing something obvious and that this might not be such a good idea. Possibility of orphaned objects or something to that nature? It won’t be online long but…..   ********************************************************************   Paul Simpsen Windows Server Administrator Enterprise Systems, IT University of Oklahoma HSC 405.271.2262 ext 50230 Fax: 405.271.2126   ******************************************************************** CONFIDENTIALITY NOTICE: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please destroy all copies of this communication and any attachments.