Gil, RE getting around the built-in security model: the local system thread really only applies to folks that have admin rights on a DC already - i.e. Domain Admins or Enterprise Admins. Plus the folks that have physical access to a DC... I just don't want too many folks to get scared about the built-in security model being useless ;-) However, you could still configure your ACLs wrong in AD, allowing too many admins to delete/edit too many things (permissions on OUs and GPOs are a good example => people shouldn't grant full control on OUs to local admins. I also leave GPO mgmt to a central team, no matter which OU it should be applied to - this sometimes hurts in terms of speed for an "urgently required" change by a local admin, but it sure is more stable in the end)
/Guido -----Original Message----- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Donnerstag, 11. Dezember 2003 23:38 To: '[EMAIL PROTECTED]' Subject: RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC The problem with the built-in security model is that in most environments its easy to get around it by using one of the various LocalSystem escalations on the DC. All of a sudden the ACLs are meaningless, and AD will happily replicate the corrupted data for you. Its hard to do a system wide denial-of-service by flooding the DCs with queries (I assume this is what you were talking about) because of the number of clients you would have to bring to bear. It takes a lot of clients to generate enough traffic to kill a DC, and a lot more to kill all the DCs in the system. And if the clients are connected to the DCs via slower WAN links, its probably impossible. You can disable anonymous queries (already done by default in W2K3), and you can configure IP addresses to deny connections from, but I don't know of a way to limit the number of LDAP queries per second. Sounds like a cool feature. -gil -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, December 11, 2003 2:36 PM To: '[EMAIL PROTECTED]' Subject: RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC I'm not as worried about malicious, entry changing attacks due to the built in security model. Its cake and pie to do a denial of service attack against an LDAP system. Add to that a simple DNS query to find all the DC's, and the whole domain drops like a lead filled balloon. Is there a way to limit the number of LDAP queries per second on a DC, at least from a specific source address? Roger -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: GRILLENMEIER,GUIDO (HP-Germany,ex1) > [mailto:[EMAIL PROTECTED] > Sent: Thursday, December 11, 2003 4:14 PM > To: [EMAIL PROTECTED] > Subject: RE: AD as a possible target of attack? RE: > [ActiveDir] Virus soft wareon DC > > > I don't even think you have to restrict the AD-related virus > issue to the > file-system. > > Something that your AV tools won't help you with is a > "virus", that simply > runs malicious LDAP queries - i.e. changing all kinds of attributes on > objects in AD or even delete a whole lot of objects at > once... Obviously > this virus would only be harmful for users with appropriate > permissions on > the AD objects. > > Again, AD will ensure that these malicious changes are > replicated to all DCs > and you could end up with quite a disaster which is certainly > not very easy > to recover of. > > /Guido > > -----Original Message----- > From: Tony Murray [mailto:[EMAIL PROTECTED] > Sent: Donnerstag, 11. Dezember 2003 14:55 > To: [EMAIL PROTECTED] > Subject: Re: AD as a possible target of attack? RE: [ActiveDir] Virus > softwareon DC > > > DO scan your DCs and reconsider excluding things like the Sysvol > > I fully agree with you here, John. I have seen for myself > how good FRS is > at distributing viruses throughout the infrastructure in > short period of > time!! Some of the major AV vendors previously had products > that caused > problems when scanning SYSVOL, but the recent offerings have > resolved this. > Bottom line: there is no good reason not to include SYSVOL > (as long as > you've checked with your AV vendor first). > > Tony > > ---------- Original Message ---------------------------------- > Wrom: NNYCGPKYLEJGDGVCJVTLBXFGGMEPYOQKEDOTWFAOBUZXU > Reply-To: [EMAIL PROTECTED] > Date: Wed, 10 Dec 2003 23:18:52 +0100 > > I totally agree with all the guys out there that urge you to scan your > DCs!!! I've been thinking about this issue for some time and I've come > to the conclusion that Active Directory would be THE IDEAL > target for a virus > attack. The robustness of AD replication makes it the ideal > distribution > mechanism for virusses. Hey ... distributing virusses by mail > is ancient > technology ;-). Why not use the intense integration of > Exchange 2000+ and AD > to transport a virus from Exchange to AD? > > No guys... I'm very serious! DO scan your DCs and reconsider excluding > things like the Sysvol because this is another possible target for the > sick minds out there that like to screw up enterprise > environments! It's only a > matter of time before the first AD virus is a fact of life we > have to deal > with! > > So go out and check (before you go to bed) whether or not > dat-file updates > are really succeeding ;-). > > Cheers! > John > > > -----Original Message----- > Wrom: WLSZLKBRNVW > To: [EMAIL PROTECTED] > Sent: 10-12-2003 18:07 > Subject: RE: [ActiveDir] Virus software on DC > > Sorry, I have to throw-in my two cents. I exclude the sysvol/sysvol > folder and sub-folders, but run the real-time scanner on everything > else. These two folders deal with replication and are too volatile to > play with. > > S > > ***************************************** > Steve Shaff > Active Directory / Exchange Administrator > Corillian Corporation > (W) 503.629.3538 (C) 503.807.4797 (F) 503.629.3674 > > > -----Original Message----- > Wrom: WCUFPEGAUTFJMVRESKPNKMBIPBARHDMNNS > [mailto:[EMAIL PROTECTED] On Behalf Of > Burkes, Jeremy > [contractor] > Sent: Wednesday, December 10, 2003 8:52 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Virus software on DC > > Same here, never had any problems either. > > Jeremy > > -----Original Message----- > Wrom: KVFVWRKJVZCMHVIBGDADRZFSQHYUCDDJBLVLMHAALPTCXLYRWTQTIPWI > Sent: Wednesday, December 10, 2003 11:47 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Virus software on DC > > > We run Symantec AV corporate edition and don't exclude any > directories. > We haven't had any problems related to AV software...... > > -----Original Message----- > Wrom: GYOKSTTZRCLBDXRQBGJSNBOHMKHJYFMYXO > [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob > Sent: Wednesday, December 10, 2003 11:42 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Virus software on DC > > >What directories should I not be scanning? > > We use the exclusions in this list- > > 822158 - Virus Scanning Recommendations on a Windows 2000 Domain > Controller: > http://support.microsoft.com/default.aspx?scid=kb;en-us;822158 > > > ________________________________ > > Wrom: EAIJJPHSCRTNHGSWZIDREXCAXZOWCONEUQZAAFX > Sent: Wednesday, December 10, 2003 8:30 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Virus software on DC > > > We run Trend here. > Never have run into any issues and we are using the realtime scan. > Just out of curiosity though, I am scanning all except for a few > select dirs/ > What directories should I not be scanning? > > > > John Parker, MCSE > IS Admin. > Senior Technical Specialist > Alpha Display Systems. > > Alpha Video > 7711 Computer Ave. > Edina, MN. 55435 > > 952-896-9898 Local > 800-388-0008 Watts > 952-896-9899 Fax > 612-804-8769 Cell > 952-841-3327 Direct > > [EMAIL PROTECTED] > "Be excellent to each other" > ---End of Line--- > > > -----Original Message----- > Wrom: ISHJEXXIMQZUIVOTQNQEMSFDULHPQQWOYIYZUNNYCG > Sent: Wednesday, December 10, 2003 10:24 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Virus software on DC > > > > I do, but I exclude the AD files, and I do not have real-time > scanning enabled, just periodic scheduled scans. Does not seem to > cause any problems. > > > > <mc> > > -----Original Message----- > Wrom: PKYLEJGDGVCJVTLBXFGGMEPYOQKEDOTWFAOBUZXUWLS > Sent: Wednesday, December 10, 2003 11:17 AM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Virus software on DC > > > > This may be a dumb question, but do you guys have virus scanning > software on your DCs? I have been confused if the virus scanner slows > the machine down or not. Thanks > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
