Re: [ActiveDir] Taking DC Offline

[Glenn Corbett]

Title: Message

Personally I dont see a problem with the audit / security guys attempting to crack high-level user ID's, as these are potentially the greatest threat to the security of the environment.   That being said, if they DO crack the admin accounts, they then have a "back door" into the environment, and if nefarious types get their hands on the information, you are in a world of hurt.   There is one issue regarding the strength of these passwords.  ANY password can be cracked, given enough time and computing resources.  Have they placed any boundaries on how long they will plug away at the security database before declaring that a password is deemed to be secure enough ?   Glenn   ----- Original Message ----- From: Joe To: [EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 7:54 AM Subject: RE: [ActiveDir] Taking DC Offline Heh, never heard that one before..... <g>   Glad I could help out. One thing I would recommend doing is writing a perl script that goes through and parses the file before you have to hand it over and removed any ID's with authority > say account operator from the file. That way   1. The security folks don't crack high level ID's. 2. If the hash dump falls into someone else's hands it doesn't have admin (or acc op or serv op or etc) id's listed.   The source is readily available, any c/c++ coder should be able to modify it to not even dump enhanced id's with a few extra calls though it would slow the program down a bit.     -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simpsen, Paul A. (HSC) Sent: Monday, July 07, 2003 4:09 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Taking DC Offline Hey Joe, ( sorry I couldn’t resist, being the old Hendrix fan that I am J ) But anyhow… this is the route that I have taken and everything worked like a champ. I wasn’t familiar with pwdump but I am now. Once again thanks for the reply.   -----Original Message----- From: Joe [mailto:[EMAIL PROTECTED] Sent: Friday, July 04, 2003 10:14 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Taking DC Offline   How are they planning on doing those tests? If they just want to test the password complexity/strength it isn't required to give them a whole DC, only a hash dump of the password in the DIT which can be done via pwdump3. Then they can use lc3/4 to go through the text file hash dump. There is no faster way that I am aware of to test those things.   In the meanwhile I think I would also remove any ADMIN ID's from that hash if the security folks aren't already admins.     -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simpsen, Paul A. (HSC) Sent: Thursday, July 03, 2003 5:32 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Taking DC Offline Our Security Director has requested that we build a temporary DC for his group. They want to take it offline and audit the current password complexity and strength. This DC will never return to the domain so I will have to manually remove the replication connections in the NTDS settings for each repl partner, plus the DNS records created. I’m just wondering if I’m missing something obvious and that this might not be such a good idea. Possibility of orphaned objects or something to that nature? It won’t be online long but…..   ********************************************************************   Paul Simpsen Windows Server Administrator Enterprise Systems, IT University of Oklahoma HSC 405.271.2262 ext 50230 Fax: 405.271.2126   ******************************************************************** CONFIDENTIALITY NOTICE: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please destroy all copies of this communication and any attachments.