Ah. I hate to assume things, but I see your point.
<cheering>
GO NOAH!!
</cheering>
Hope that helps :)
On 2/10/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
if this:
>>>For political reasons, we could not just yank their admin access.
is what you are referring to, then no, you didn't miss anything. Rather I
glossed over it by subliminally adding "all of a sudden" to the line :)
I took it as a given that IF they are asking that things be tightened down,
then pruning the admins privilege distribution is the starting point. Knowing
that Noah has been on this list for a while and has seen conversations
stipulating that there is no logical way to prevent an admin from doing
whatever, I took it for granted that he is going to win the political battle
and systematically de-admin (?) the current admins.
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________
From: [EMAIL PROTECTED] on behalf of Al Mulnick
Sent: Fri 2/10/2006 4:10 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Hiding in the Directory
Did I miss something? I would also start by removing all admin access (save
one trusted) and adding them back. I realize it was said that this was not an
option, but that's the best option of them all. Remove the access and add it
back as needed. Be sure to check both domain groups and built-in groups.
If it were me, I'd look for computers that have system access priviliges like
Exchange servers. Those would be easy to convince a person that I need to
have local access to them but they also hold a lot of rights that could be
used to elevate even further.
So basically, include your search to include "computer" accounts that could
be members of priviliged groups. I say that because if you cannot remove the
group members and add them back, then you'll have a situation where you'll
never really know if you got them all.
I think I'd be prone to check the local server accounts as well, just because
I think it's better to get everyone to defend their access vs. assuming they
should be there. Can seem disruptive if you don't present it in a certain
way, but you get the idea.
Al
On 2/10/06, [EMAIL PROTECTED] < [EMAIL PROTECTED]> wrote:
Where the server count is manageable, yes. I restrict the admin
accounts to
only servers.
Where the server count is huge, I either rely on clue-by-4 or hack
around the
limitations in the "Logon to" GUI (I think I posted something on how
to do
this last year. must be in the archive somewhere).
Another thing I do with service accounts is put them in a group and
apply a
GPO that removes console login rights from that group.
Again, security is cumulative. None of what I (and others) have
described
will, in itself, prevent abuse. But when you add them all together
and
implement them, you will have the joy of knowing that you did all you
could.
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________
From: [EMAIL PROTECTED] on behalf of Noah Eiger
Sent: Fri 2/10/2006 12:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Hiding in the Directory
Deji-
I have actually implemented the dual-login scenario with these folks.
In
general, I am trying to keep them off the server and ask them to
logon to
workstations to do their management tasks. You seem to be saying that
you
limit the admin account to servers.
-- nme
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ]
> Sent: Friday, February 10, 2006 11:47 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Hiding in the Directory
>
> >>>Its very easy to ask an admin "can you log into this ... and see
whats
> going on?"
> Funny :)
>
> This is why I always recommend that admins must have 2 accounts -
one
> plain-vanilla, regular account that will be used for daily tasks
and one
> with
> admin privileges that they only use for admin tasks. Doesn't
completely
> remove the keylog factor, but it reduces exposure. The admin one is
never
> mail-enabled and never used for logging into any uncontrolled
system ( e.g.
> end-user's desktop).
>
>
> Sincerely,
>
> Dèjì Akómöláfé, MCSE+M MCSA+M MCT
> Microsoft MVP - Directory Services
> www.readymaids.com - we know IT
> www.akomolafe.com
> Do you now realize that Today is the Tomorrow you were worried
about
> Yesterday? -anon
>
> ________________________________
>
> From: [EMAIL PROTECTED] on behalf of Burns, Clyde
R.
> Sent: Fri 2/10/2006 11:33 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Hiding in the Directory
>
>
> I would also watch out for scripts tucked away that elevate some
other
> users
> privileges using a domain admins credentials upon login.
> Places I would check
> Startup folder(s)
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
> win.ini - multiple entries on the "shell=" line. (on NT4 and older
OS's)
> Possibly a gpo attached to accounts that will remain domain admins?
>
> Its very easy to ask an admin "can you log into this ... and see
whats
> going
> on?" once the permission tightening was over and the consultant was
gone.
> Then business as usual.
>
> Clyde Burns
>
> ________________________________
>
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]] On Behalf Of
Grillenmeier,
> Guido
> Sent: Friday, February 10, 2006 1:43 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Hiding in the Directory
>
>
> good points - usually the hardest ones to figure out.
>
> and if you knew AD well and the forest is setup "appropriately",
you might
> also want to leverage SIDhistory.
>
> ________________________________
>
> From: [EMAIL PROTECTED]
> [mailto: [EMAIL PROTECTED] ] On Behalf Of Bahta,
Nathaniel
> V
> Contractor NASIC/SCNA
> Sent: Freitag, 10. Februar 2006 18:19
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Hiding in the Directory
>
>
>
> If I were wanting to hide out in the directory, and didnt know much
about
> Active Directory, but had a fair amount of general knowledge about
> computers,
> I would check into the Active Directory hotel under a fake name
with the
> Mrs
> and I. I would call myself Intrasite Topology Generation Account
or
> something sounding official and then use that as my runas buddy.
Or I
> could
> just create a group called Federated Forest Knowledge Consistency
> Checker's
> and then give the Topology Generation account membership to it, and
then
> give
> the Federated Forest Knowledge Consistency Checker all the user
rights of
> whatever kind of admin I would hope to be. I might even install
some
> services and make them sound official like Directory Services Cylic
> Redundancy Checker and make the Topology generation Account the
service
> account it runs under as well. Why try to create a backdoor when
you can
> just create another front door? Kinda like the fake laundry
service gag
> to
> break out of prison you always see in the movies.
>
>
> Nate
>
> ________________________________
>
> From: [EMAIL PROTECTED]
> [mailto: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> ] On Behalf Of Noah Eiger
> Sent: Friday, February 10, 2006 11:54 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Hiding in the Directory
>
>
>
> I have been asked by a company to help them tighten what is
currently a
> very
> loose security model. Now, several non-IT-but-computer-adept
employees
> have
> accounts with full Domain Admin privileges. Many of these folks are
> programmer types and pretty savvy (which leads them to think they
know
> what
> they are doing - that's another story). They are also aware that we
are
> going
> to tighten things down. For political reasons, we could not just
yank
> their
> admin access.
>
>
>
> So the question is: if you were one of these folks and were
inclined to
> mischief (or simply ensuring your continued access), how might you
hide
> yourself in the Directory? More to the point: where should I look
beyond
> the
> obvious group memberships?
>
>
>
> Thanks.
>
>
>
> -- nme
>
>
> --
> No virus found in this outgoing message.
> Checked by AVG Free Edition.
> Version: 7.1.375 / Virus Database: 267.15.5/256 - Release Date:
2/10/2006
>
>
> ________________________________
>
> This message is confidential, intended only for the named
> recipient(s) and may contain information that is privileged or
> exempt from disclosure under applicable law. Any patient health
> information must be delivered immediately to intended recipient(s).
> If you are not the intended recipient(s), you are notified that the
> dissemination, distribution or copying of this message is strictly
> prohibited. If you receive this message in error, or are not the
> named recipient(s), please notify the sender at either the e-mail
> address or telephone number above and discard this e-mail. Thank
> you.
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
> --
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.1.375 / Virus Database: 267.15.5/256 - Release Date:
2/10/2006
>
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.375 / Virus Database: 267.15.5/256 - Release Date:
2/10/2006
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
