RE: [ActiveDir] Taking DC Offline

[Myrick, Todd (NIH/CIT)]

Title: Message

Why not use a tool like Aelita's In-trust http://www.aelita.com/products/InTrust.htm to run the scans against the production environment, I would also mention BV-Control, but I am mad at bindview right now and don't want to promote their products. (Long story).  It would be less intrusive into your environment... also lets you get a pretty good tool, all in the name of better security.  I would make the argument that standing up DC's and taking them down is not a good practice for production AD's due to the clean-up and potential for the data to be compromised outside of the datacenter.  An Active Directory domain security is only as good as the security of the datacenter the DC's are hosted in and the physical DC's themselves.  Standing up and taking down DC's in the name of better security only complicates operations.  Does this security director know the EA password or the Domain Admin passwords?  If he doesn't, he will using this method.  Also do you plan only to run only one security scan?  To make security operations more useful, scans should be run several times a year, and data collected over time.  Things like, when was the account last accessed, how many times does an account log in badly or get locked out, etc are more useful, then just is the password complex enough.      Also I wouldn't run a password guessing tool against a domain if you have account lockouts enabled.  Could make the helpdesk revolt.   In the name of politics I understand your dilemma, I just want to fuel your argument for not doing this all the time due to the impact on operations.   Power to the AD admins...   Toddler -----Original Message----- From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 8:33 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Taking DC Offline nice tool Joe, but you should add a time filter.  In an attack-scenario (be it hacker or auditors), you don't necessarily want to unlock all the locked accounts you find - instead you want to unlock the ones that were locked after a specific time (this is the approach I took - using a UI you select the users you wish to unlock).  However, unlocking all is better than unlocking none.   /Guido From: Joe [mailto:[EMAIL PROTECTED] Sent: Montag, 7. Juli 2003 21:26 To: [EMAIL PROTECTED] Check out unlock at www.joeware.net. Its free, its fast. Will display locked accounts or unlock them. Saves you the scripting time... Plus it runs faster than any script I have seen.   :o)   As for those folks doing the testing, if it isn't security running those password check tools, it is hacking. Treat the admins accordingly.     joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Monday, July 07, 2003 9:41 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Taking DC Offline In a way you should be happy they asked you, before just running a password guessing tool against the domain...  Ofcourse that won't necessarily be destructive - unless you have configured Account Lockout for X nr. of logons, which I always consult my customers to do.   But if your AD domain spans multiple countries/locations or simply a large population of users (which might previously have been separate NT domains) - you're suddenly very vulnerable afterall...  I've seen auditors from one location run their magic tools unanounced to any admin against the AD domain spanning the United States - voila, just like an attack from a hacker, that domain was quickly seizing to work for any user with logins and eMail etc. failing all over the place (thankfully admin accounts were hidden in AD and thus not known to the tool used by the auditors)   Wasn't hard to find the issue and yell at the folks - but try to quickly revert the status of many hundreds of locked out users...  So now we're prepared for these situations via a scripting solution - I would suggest everyone to prepare something for their own environment as well. Nothing like being caught off guard.   /Guido From: Simpsen, Paul A. (HSC) [mailto:[EMAIL PROTECTED] Sent: Montag, 7. Juli 2003 03:25 To: [EMAIL PROTECTED] The whole purpose of this is all political. It has already been decided to enable password complexity but to help make the campus more agreeable ( we are an edu!) our Security director wants to shoot them some stats. The % of PW's that they could crack, etc... Why this is good for you, you know the deal. I'm still hoping my boss will see the light and just say no! J Thanks for all the responses, there might be some other options. Paul     -----Original Message----- From: Rick Kingslan [mailto:[EMAIL PROTECTED]] Sent: Friday, July 04, 2003 4:51 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Taking DC Offline   Paul,   I'm somewhat mystified by the request.  I might be completely missing the point, but unless the scan is going to be destructive, what is the value of giving the Security Director a DC that has been taken off-line?  I do agree with what others have said here to this point (remove connection objects, clean up the objects from the DIT via NTDSUTIL, etc.), but the value of the work that is being done is still questionable.  The DC is no longer in your environment, which from the standpoint of testing the security or the password complexity, makes it no longer a viable environment to do such.   And, if the process is going to be destructive, is this something that they will want to do on a quarterly basis (again with questionable value in the security realm)?  Also, do your Security Analysts already have Administrative context access?  If not, all passwords of this type should be nulled out.  Even if they do - those that are not theirs should be erased as well.   Rick Kingslan  MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone       From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simpsen, Paul A. (HSC) Sent: Thursday, July 03, 2003 4:32 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Taking DC Offline Our Security Director has requested that we build a temporary DC for his group. They want to take it offline and audit the current password complexity and strength. This DC will never return to the domain so I will have to manually remove the replication connections in the NTDS settings for each repl partner, plus the DNS records created. I'm just wondering if I'm missing something obvious and that this might not be such a good idea. Possibility of orphaned objects or something to that nature? It won't be online long but.....   ********************************************************************   Paul Simpsen Windows Server Administrator Enterprise Systems, IT University of Oklahoma HSC 405.271.2262 ext 50230 Fax: 405.271.2126   ******************************************************************** CONFIDENTIALITY NOTICE: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please destroy all copies of this communication and any attachments.