Ok its official, my head now hurts. Where's my aspirin?
Dan > -------- Original Message -------- > Subject: RE: [ActiveDir] Have fun at DEC > From: "joe" <[EMAIL PROTECTED]> > Date: Tue, March 22, 2005 9:22 am > To: <ActiveDir@mail.activedir.org> > > > There is an inverse relationship between the number of admins and > > the security of your network - the higher the number of admins, the > > lower the security. > > How long have I been saying this? At least as long as you have known me!!! > Is it that you didn't listen because I never said inverse? My simple > mechanism of saying this applies to everything with systems, just not > security - the fewer the admins the better, if you exceed 3 you are asking > for issues... > > For security it is probably more of an inverse square law function than just > inversely proportional with number of admins being r and security being > stretched and diluted across the surface area (A) growing by the square > rule. Say your security constant for a given system at a given point in time > is S and your true security is I then you are looking at an equation of > something like I=9S/(r^2) (that is normalized to where any system with 3 > admins is at its constant security level S which actually may be a little > high, maybe it should be 4 instead of 9). > > You can add another piece to that equation if the admins don't all report to > the same direct supervisor/manager or whatever other title you give to the > direct person your analysts report to. That number of managers is M and the > overall chains of command is c so you get I=9S/((M^c)*(r^2)). As an example > of the last, say you have a system that has admins from the US and admins > from Europe. At the very least, it is unlikely they will both report to the > same direct manager. It is most likely from what I have seen, they will > report to 2 managers in a different chains of command that eventually tie > back together, but up several management levels. Those multiple managers and > multiple chains of command without regard to the sheer number of admins > makes your overall situation 1/4 as secure due to disagreements and > infighting and different goals of different managers and management chains. > Now add in some software that installs a service that runs as local system > (i.e. more power than an admin account) and is managed by someone other than > the "normal" admins and your M and c have increased again, this is > especially evident with things like MOM or Tivoli or OVVM or anything else > that monitors and has the ability to arbitrarily run code (scripts, etc) on > a given machine. > > Assuming a realistically secure value of S, you would start with one admin > and an I of 9S. Add 2 more on the same team and you are down to S. Add 6 > more on the same team and you are down to S/9. Add a team of 5 more who > manage monitoring agents running as localsystem who report through a > different chain of command and you are now at S/((14^2)*(2^2)) or S/784. The > thing is that management group, even without admin rights directly, who > manages localsystem agent monitoring across all of the enterprise and all > systems reduces overall security by at least (5^2 * 2^2) without > consideration for the other admins already managing[1]. > > > Anyway, the more admins you have for a given system, the less overall > control you have of that system. You can have 1000 admins on a network, they > just better not all be managing and have control over the same systems. The > more admins on a system you have the more people modifying things and coming > up with "cool" ideas or the more chance someone will leave a machines > unlocked or get infected or the more likely you are to have generic admin > type IDs and less chance you can figure out who did something if something > bad happened. > > You will recall this was the number one debate I had with management when we > worked together previously and you know how strongly I argued that point. > They wanted more people to have rights, I wanted less. It had something to > do with the quality of the admins, but it had a lot to do with the sheer > number because once you exceed 3 or so I have found that the responsibility > people feel tends to drop significantly and your overall danger grows > considerably. I think it has something to do with the feeling of ownership. > If you have 20 people who own something versus 3 people who own something, > the 3 people will have a stronger sense of ownership and caring, IMO. > > If you have 3 crappy admins, you are still screwed. You will note the > equation above says nothing about admin quality, just numbers and management > chains. There are a lot of people running around who have admin IDs who > aren't administrators. However, they tend to stick out more when there > aren't a bunch of other people covering for them and can hopefully be > removed. > > > > And, Rick, thanks a bunch for your late-night assistance. I owe you one. > > And I don't even want to know what this is about... > > > joe > > > [1] That formula is completely made up (and having been written out like > this automatically copyrighted) by me and represents how I personally view > the impact of adding more admins and more management chains. While I think > centralized monitoring is nice and all, I think it is generally configured > in a way that is extremely destructive to overall environment security. When > I ran ops for a forest, I would not allow monitoring to be added to the > Domain Controllers I managed that was run by anyone other than our direct > group. I fought that battle with multiple groups over the space of 5 years. > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] > Sent: Monday, March 21, 2005 9:36 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Have fun at DEC > > I not only had fun at DEC, I learnt so many things. Aside from being around > the usual suspects (Hi, Dean! Hi, Joe! Hi, Rick!), I got to meet Jorge, > Hunter, Alain and a host of other people. > > Then I came away with 2 of the most eye-opening lessons to-date in my > professional life: > > You can't cram a "security" discussion into a 75-minute presentation :) > There is an inverse relationship between the number of admins and the > security of your network - the higher the number of admins, the lower the > security. > > Gil and the rest of the DEC crews are some of the most gracious hosts I have > ever had the pleasure of being associated with - and I am grateful for the > opportunity. > > And, Rick, thanks a bunch for your late-night assistance. I owe you one. > > Sincerely, > > Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I > Microsoft MVP - Directory Services > www.readymaids.com - we know IT > www.akomolafe.com > Do you now realize that Today is the Tomorrow you were worried about > Yesterday? -anon > > ________________________________ > > From: [EMAIL PROTECTED] on behalf of joe > Sent: Mon 3/21/2005 5:42 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Have fun at DEC > > > > Hey now, Dean and I actually weren't on the admin teams. We were wandering > consultants. We initially had been under the understanding that it was a > hacking session and we are under constraints about showing off tricks like > that so we excused ourselves from the competition. Gil asked us just to walk > around and check out what was going on. > > Once we realized it was a break-fix with users trying to take advantage of a > poorly configured system Dean jumped in a little more but still didn't get > to do what he wanted. > > Had we been on the admin team, the first thing we would have done is make it > so no one could connect remotely to the DCs and secured them, then opened > them up. That would have made the whole experiment go about 6 or so minutes > with reboots as I saw no fancy hacking going on. You probably heard us up > there saying, cut the users off at the knees, drop the services so you can > secure. Secure environment #1, users getting access to resources #2. It was > funny because as soon as Stuart (Kwan of the Ottawa Kwan Clan) walked up the > first thing he was saying was screw the users, lock down as well. > > Dean spent most of his time pointing out how to fix broken things like DNS > and replication and such as well as saying disable all of the users. I spent > the time getting beers, explaining what tools were on the CD (did poorly at > that as I didn't recognize many of them), correcting command line commands, > and saying drop the network!!! > > The lab environment was set up pretty poorly as the VMs that were hosting > the DCs were configured to auto-rollback changes so every time the systems > rebooted, everything the admin team had done was rolled back. Also the > person who set up the hosts neglected to set a password on the host so > people could attack the host directly which I understand was outside the > scope of the test. > > Dean had the perfect solution right up front... Dump users, groups, OU > structures to LDIF files, demote the forest, repromote the forest, reimport > the users/groups/structures. That would have cleared up nearly all of the > screwups and wouldn't have left any openings for the users errr hackers > unless they could get on the physical box which they couldn't do. > > It was extremely interesting though to see the various viewpoints. There was > a rather stark line between many of the people where it was get the services > running versus lock the environment down. I have no problem telling a user > to go screw off if there is a security issue. Between fixing security and > making users run I will almost always go to the side of security because if > you don't have security, you can't guarantee the quality of the information > in your system which is a poor place to be for an authentication system. > Plus if it is insecure, you can't even guarantee the services very well. ;oP > > I wouldn't say anyone actually won the competition. > > That last part about the schema being messed up was Dean having fun. He > pulled one of his tricks but didn't really let anyone see how he did it. It > was just to show that yes, there are ways you can really hurt yourself bad > or be hurt bad. Nothing in that test was anywhere near that level of danger. > > > joe > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida > Pinto > Sent: Monday, March 21, 2005 7:45 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Have fun at DEC > > Fun at DEC? > > Yeahh it was fun. It was also great to meat Gil, Guido, Dean, Joe, Rick and > Deji in person. > No chicken as I hoped for, but a t-shirt (that not even said "I went to DEC > to get a rubber chicken but all I got was this lousy > t-shirt") and we also got a bag. Gil was walking around with his bag that > had a rope attached to it and the rubber chicken was hanging at the end of > the rope. > We all heart the rubber chicken "cry" (hee.. I would cry if I had a rope > around my neck! ;-)) ) on monday during the "AD all night" session. By the > way.. that session was also fun. It all started with 4 environments and each > environment contained 1 forest and 1 domain with 2 DCs some wireless network > stuff, an ADMINS team and a USERS team. In each environment security > (whatever you could think of!!!) was really screwed! The admins (a complete > team of people incl. Dean, Joe, Rick and Deji) had about 15 min. to correct > all security screw-ups they could. After that the users came in and started > working on the network using laptops with all kinds of hacking tools. We > were supposed to wait 15 min. but we (I) didn't (hey a hacker doesn't wait > until your network is safe and all security vulnerabilities are solved by > you! So we didn't either). While the admins were searching and solving al > vulnerabilities I already created two user accounts anonymously and added > those to the adminstrators and domain admins groups. After we created the > accounts we thought we should wait a bit so the admins had the chance to to > some work. We also hoped they didn't find the accounts.... Crap that didn't > work as we afterwards wan't to delete all kinds of things in AD to screw it > up as bad as possible. The caveat was that if some admin found us screweing > around and he could prove we did the damage the user got fired. If a user > screwed up something and an admin did not prevent it the admin got fired. > I still don't who did it, but after a while both DCs started rebooting and > rebooting. The admins shut down the wireless network appliances so they > couldn't be attacked. We as users started complaining about that we could do > our work and that the SLA sucked..... ;-)) The DCs were not physically > secured (hey that's also important!) and one of the users pulled the power > plug of the DCs and those went down... The user was caught on the act and > got fired. The admin that was responsible got demoted.... From admin to > user! Hahaha. That wasn't also bad because that admin also knew all the > passwords. As soon as we knew the password of the administrator account we > tried again to screw it up. After a while everything was closed down to > maximum security (at least I think it was as we were not able to do > anything). Better yet the admins could do much either because the DC was so > screwed it didn't even know it had a schema (or something like that). ;-)) > > Again: great session! > > Hope to attend again next year > > Cheers > Jorge > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: Friday, March 18, 2005 09:15 > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Have fun at DEC > > At least I heard the chicken this year, I never had heard it. I was pretty > well toasted at the time and thought a goose was running around the > conference room. > > joe > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert > Sent: Saturday, March 12, 2005 11:20 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Have fun at DEC > > I believe I am the proud owner of the last DEC chicken. Gil gave it to me > at DEC in Ontario. > > Sure wish I could have made it to DEC this year. > > Dan > > > -------- Original Message -------- > > Subject: RE: [ActiveDir] Have fun at DEC > > From: "joe" <[EMAIL PROTECTED]> > > Date: Fri, March 11, 2005 5:16 pm > > To: ActiveDir@mail.activedir.org > > > > Unfortunately Gil doesn't do that anymore. He did the last chicken I > > think 2 years back I think. I know for sure he didn't do one last year. > > > > He needs T-Shirts that say... > > > > I went to DEC to get a rubber chicken but all I got was this lousy > t-shirt. > > > > > > joe > > > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf > > Sent: Friday, March 11, 2005 6:51 PM > > To: activedir@mail.activedir.org > > Subject: [ActiveDir] Have fun at DEC > > > > For all you folks who are going to DEC, have a great time and good > > luck getting the rubber chicken. > > > > Phil (re-subscribed with new address) > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > This e-mail and any attachment is for authorised use by the intended > recipient(s) only. It may contain proprietary material, confidential > information and/or be subject to legal privilege. It should not be copied, > disclosed to, retained or used by, any other party. If you are not an > intended recipient then please promptly delete this e-mail and any > attachment and all copies and inform the sender. Thank you. > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/