The unknown absolutely is a security risk. It isn't
safe to assume anything else. Basically it isn't a good case to presume innocent
until proven guilty because you could find out the guilty verdict too late. Here
you must, if thinking with a solid security hat on, presume guilty until you
know enough to grant trust and know where the edge of that trust lies and make
doubly sure that the tech is bordered in the same spot. This isn't just to
protect against someone purposely doing something bad to you, but also someone
accidently doing something bad to you.
The main security concerns I would have here would be
information disclosure and denial of service; accidental or purposeful.
Depending on what Douglas meant by the junior admin comment it could be much
worse, what rights does this "test" account get and what is it doing in
production? I expect something like this is more acceptable in smaller companies
where the overall risk may not be as high, but the larger the company with the
more sensitive data (such as email addresses of all users[1] as well as
corporate structure, etc) the more risky this becomes especially if there
is no formal review of everything end to end to put into place compensating
controls and to understand the overall process, especially data flow and system
requirements. I would have to say that in several large orgs I have
consulted for, the CIO would be stopped dead in his tracks on this until
the proper complete security and architecture reviews were done. With today's
information disclosure rules this gets more and more touchy.
I would be far more likely to agree to granting access to
ADAM or some other LDAP directory that can be properly locked down and any abuse
of the directory could be easily cordoned off such as abusive queries or
updates. Any updates that needed to make it back into the main directory would
be handled by controls I, as the DA, owned and controlled.
joe
[1] How much, for instance, are the valid emails of all
users as well as their titles and reporting structures and departments and
addresses of a company say like Microsoft or Walmart or GM or Boeing or any of
the Fortune 100? If a company has 100 or even 1000 people, unless it is a very
particular company and that info is particularly sought after the value of that
info is entirely different from the value of the info in the previous cases.
Personally I wouldn't mind browsing the organizational structure of a
company say like IBM [2] and being able to pinpoint specific people to
email if I chose to. With a full AD dump, it is highly likely that not only
would you find the official email addresses of all execs but also the secret
email addresseses of the mailboxes many keep for personal and family emails that
they monitor themselves versus having an assistant manage. I can say from direct
Fortune 5 experience, the execs treasure those secret email addresses far
greater than their normal work address. I have been called out of bed more than
once for issues with those accounts and I never got called out of bed for single
user issues other than that.
[2] Because I am an MS MVP I have fairly extensive access
to Microsoft addresses and information, but then, I have been checked out and
forced to sign multiple NDAs and accepted into a certain realm of trust. A realm
of trust with very specific borders and in fact a year or two ago when it was
discovered that those borders were not technically enforced as Microsoft
initially thought was quite rapidly booted back out of them due to security
saying no way. Point being, it wasn't just granted, there was a lot of work put
into place to understand what needed to be done and what should be
available.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, August 22, 2005 9:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kinda OT: Advice welcomed All
this is good advice, but tends to accept as fact that there is a security risk
involved. You wrote,
you
know nothing about (and for that reason do not trust)
There
are really two issues here:
- your
CIO is playing AD administrator, and for dealing with that there has been lots
of good advice
- you
don't have all the security facts, so fear the worst
consequences
I'd
suggest first finding out all you can about this application and its site
because it sounds like you're going to have to deal with it for a long
time. If you approach this as a control issue--well, the CIO is in charge
as others have said. If you approach it wrong, the CIO may think you have
a problem with change because this may be a new application in your environment
or something in the business has dictated handling this in a new
way.
I
think the real outcome you want is for the CIO to appreciate that he should keep
you informed about changes and that you can help make them happen in a seamless
and secure way. That way you can make his life easier and he won't have to
deal with this sort of thing.
Good
luck!
AL
Al Maurer -----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of joe Sent: Saturday, August 20, 2005 8:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kinda OT: Advice welcomed How big is your company? Do you have a security group that
doesn't report through the CIO? This is almost certainly unacceptable corporate
exposure that your CIO really doesn't have the right to expose the company too
on his own in my opinion. This is the kind of thing that I would certainly
really push up the ladder hard and would be willing to be terminated for.
However, it completely depends on your feelings on the matter. Is it something
you would quit over? If not, then it probably isn't something you would want to
be fired for and making a stink of it other than simply reporting it to your
direct manager is probably not what you want to do.
In your shoes, I would consider locking down the traffic
from that address or range of addresses with ipsec or something else under my
complete control and report it to my management and security to make a call on
what the next steps were. If your company is so small that the CIO is directly
tasking you, I expect you don't have a separate security group and you may have
very very little recourse other than to talk directly to the CIO and
explain the risk he is putting the company in (he told you what to do directly,
IMO, that gives you the right to question and explain why you think it isn't
right). If he still says full speed ahead, say damn the torpedoes and go with it
OR throw up the white flag and move on to bigger and better things. Again, if
you don't have a separate security chain, it is a good chance that you have no
leverage to fight so you could never "win" so the battle is not very appealing.
Another way of looking at this is if something bad happens,
whose ass is up on the firing line? If it is mine, I certainly would make it
very clear how bad I thought this was so my rebuttal at the time of the decision
to fire or not is "I told you this was stupid". Then again, I am very much about
doing the right thing and have enough job security that I am not overly upset
about losing a crappy position.
As the others said, that AD and that company isn't yours.
But, IMO, it is your job to make sure you speak up when things are not done
properly. If not, you are admitting that you were simply hired to push buttons.
Our jobs as admins is to help our management make good decisions
and recover from stupid ones as well as implement all of them, smart or
stupid. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Friday, August 19, 2005 11:38 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Kinda OT: Advice welcomed Here’s a question for
everyone: Your CIO decides it is
cheaper to host an application remotely at a site that you know nothing about
(and for that reason do not trust). He then decides on his own that he will just
tell the network guy to open port 389 to one of your production DCs without
consulting, or even mentioning it to you or anyone else that may have something
to say about the security risks. Then he asks you to create a test user account
for a junior admin to test with, and gives the remote site the username and
password. What do you
do? |
Title: RE: [ActiveDir] OT:Exchange 2003 SP1 bloat