Correct - we're on the same page. Simply an example of things that I don't like that have been used in the past to allow systems to act upon another by issuing token-based methods.
Rick -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, August 09, 2005 4:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Rick, I agree with your points on CD, but what are you talking about here with "Act as part of the operating system"? That doesn't need to get enabled anywhere to use constrained delegation. Generally, that only tends to get added to accounts on Windows 2000 that need to call the LogonUser API, but it is not needed for that on XP or 2003. The other reason is it sometimes needs is when a process wants to directly create a security token for a user with impersonation privileges via Kerberos S4U (protocol transition). However, this is not normally the case unless protocol transition is being done programmatically. The "automatic" version of protocol transition doesn't need this. If you were just using that as an example of a bad setting choice to have to make, then I get it. I just wanted to make sure there was no cross up. Thanks! Joe K. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 4:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Bob, Make no mistake - I'm really not a fan of allowing "Act as part of the operating system" or the Impersonation privilege. That being said - from the work that I have done with other web developers needing access to SQL or application servers, constrained delegation is the best method that I have seen available - IF it is done correctly. As I suspect you know (and the reason for your asking) it' all about the level of comfort with the solution. However, just the very configuration sets up two things that I like very much. One - in the old(er)methods of delegation, Alice authNs to server Bob, which then impersonates Alice to SQL Server. Bob is then the authenticator to the destination, SQL Server - not Alice, which causes a bit of problem - Trust. Can you trust Server Bob, or the administrator, or who else might have control of server Bob? Maybe not. Auditing, too, becomes a problem. Model two involves, again Alice AuthN to Server Bob, Server Bob authNs to the SQL server as Alice. Server Bob, in and of itself has no permissions to the SQL server and we see that the audit logs show access by Alice - not Bob. Big mitigation in relation to authN. Alice is allowed, not Server Bob. Server Bob is still allowed to do some role based authN and authZ. Now, let's add the constrained delegation. Pretty much the same thing as model two - except we are allowed to limit the scope of servers, services, ports, etc. that the delegated request is able to talk to. There is no completely safe solution when we involve impersonation. However, Security is Risk Management. Without having a complete, holistic view of the entire solution and environment, I can't really tell you what your risk will be. What I can say is that if Plain Text is 100% Risk, and "Act As Operating System" is 30%, this is 10%. As to the AD perspective - not much at all that I'm aware of. As to the desirability, I'd prefer this method over any of the others that have been presented of late - short of two-factor. If you haven't seen this: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technolog ies/ security/constdel.mspx Rick -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, August 09, 2005 3:07 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Kerberos Delegation We have a developer who wants us to allow delegation for a couple of SQL servers and their service accounts so he can do distributed queries across linked servers. This is new ground for us from an AD perspective that I have just started researching and I'd like to hear other's thoughts, policies etc. We are at 2003 functional level so from what I read, we can allow constrained delegation which is much better than un-constrained but most of the comments I come across indicate this isn't something to be taken lightly, has serious security ramifications, policies should be in place etc etc.. I can find a reasonable amount of information from the developers point-of-view, and I can see how to implement it technically (I think) but not a whole lot from the AD admin's perspective, especially as it pertains to the desirability of allowing it and how best to manage it if it is allowed. Any info greatly appreciated. Bob List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
