RE: [ActiveDir] How Secure is a Domain Controller?
The use of 20 char passwords caught my eye. In previous discussions with MS et al, it was suggested that the majority of users would simply repeat a (at most ( 7 char password n times, so as to meet the 20+ char pw policy requirement. As a result, I have heard it suggested that in reality (not theory) a pw policy of more than 7 chars is actually counter productive. [Any pw policy with a multiple of 7 chars being most counter productive.] Food for thought, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-WeidnerSent: 05 March 2006 08:35To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] How Secure is a Domain Controller? I've written down some related thoughts once: http://msmvps.com/blogs/ulfbsimonweidner/archive/2004/10/24/16568.aspx Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of EdwinSent: Sunday, March 05, 2006 4:17 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] How Secure is a Domain Controller? How Secure is a Domain Controller that is fully patched on a default install of Windows 2003? When promoted the domain controller has the two default policies, both of which are recommended not to be modified. But there are things that could be done better for added security. For example, NTLMv2 refuse NTLM and LM. Is it common practice to add additional GPOs to the DC OU? Or is DC protected enough to where all that is needed to worry about are the member machines? If adding additional GPOs to the DC OU, is there anything that should definitely be avoided? EdwinPLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] SYSVOL and Junction Points
The same question was asked at an MS seminar I went to about 3 or 4 years ago, and the MS rep explained that he didn't have a firm technical answer either, and that at some early point during the dev of AD, there was an intention to be able to host more than one AD on a DC and that junction points would have been used somehow for thatand just never got removed. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rachui, Scott Sent: 04 March 2006 16:50 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] SYSVOL and Junction Points I'm going to ask what may be a dumb question, but I can't find anything on it in the literature. I am trying to get a better understanding of how SYSVOL functions, and I think I've got a pretty decent idea. But when it comes to Junction Points, I'm a bit mystified. I have read the literature, and I understand that junction points are really just pointers to actual directories, rather than directories themselves. I understand that if you look in a junction point, it will appear as a directory but it's content will be the content of the real directory it's pointing to. I understand that the 2 junction points in SYSVOL are: 1. %systemroot%\Sysvol\Sysvol\FQDN of domain pointing to %systemroot%\Sysvol\domain 2. %systemroot%\Sysvol\Staging Areas\FQDN of domain pointing to %systemroot%\Sysvol\Staging\domain What I want to know is why Junction Points are used? I understand, for example, that you want to prevent files being copied when they're open by users. This is the purpose for the staging directory, I believe. I understand that the PreInstall folder is so SYSVOL doesn't copy a file in until it's fully replicated. But I just can't get anyone to tell me why Junction Points are needed in SYSVOL, and what their presence helps to achieve. If you guys have an answer, or can point me to the literature to help figure it out, that would be great. Any information would be much appreciated. Thanks, Scott List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message has been scanned for viruses by MailControl - (see http://bluepages.wsatkins.co.uk/?4318150) This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] DC Lookup....
Title: Message My environment: W2K FL, Mix of W2K and W2K3 DC's, One Forest, One Domain, 60 DC's, all DC's bar one are relatively well connected (smallest link is 256k).One DCis poorly connectedon a very highly utilised 1MB line:-( Does anyone know if there is a way to specify which DC a site uses when the DC assigned to that site is offline? To be specific, I want to manage a situation where a site is assigned a DC (or a bunch of them) and then those DC's fail. The clients then will look up alternate DC's, but I want different subnets to lookup different "secondary" DC's. So Site a has DCServerA, site B has DCServerB, site C has DCServerC, Site D has DCServerDand siteE has DCServer E. When DCServer A fails, I want those clients to use DCServerE. When one of DCServerB, DCServerC or DCServerD fail, I want them to use one of DCServerB, DCServerC or DCServerD. Sort of confusing question to ask..anyone have any ideas? I know that DC dns records can be weighted, but that is accross the board and would effect all sites right ? This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding.
RE: [ActiveDir] DC Lookup....
Title: Message Brad- Have you seen this article? http://support.microsoft.com/kb/306602 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Monday, March 06, 2006 12:34 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DC Lookup My environment: W2K FL, Mix of W2K and W2K3 DC's, One Forest, One Domain, 60 DC's, all DC's bar one are relatively well connected (smallest link is 256k).One DCis poorly connectedon a very highly utilised 1MB line:-( Does anyone know if there is a way to specify which DC a site uses when the DC assigned to that site is offline? To be specific, I want to manage a situation where a site is assigned a DC (or a bunch of them) and then those DC's fail. The clients then will look up alternate DC's, but I want different subnets to lookup different secondary DC's. So Site a has DCServerA, site B has DCServerB, site C has DCServerC, Site D has DCServerDand siteE has DCServer E. When DCServer A fails, I want those clients to use DCServerE. When one of DCServerB, DCServerC or DCServerD fail, I want them to use one of DCServerB, DCServerC or DCServerD. Sort of confusing question to ask..anyone have any ideas? I know that DC dns records can be weighted, but that is accross the board and would effect all sites right ? This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding.
Fw: [ActiveDir] SYSVOL and Junction Points
they are also known as reparse points and ris uses them for the single instance store Original Message From: [EMAIL PROTECTED] Date: 06/03/2006 11:15 To: ActiveDir@mail.activedir.org Subj: RE: [ActiveDir] SYSVOL and Junction Points The same question was asked at an MS seminar I went to about 3 or 4 years ago, and the MS rep explained that he didn't have a firm technical answer either, and that at some early point during the dev of AD, there was an intention to be able to host more than one AD on a DC and that junction points would have been used somehow for thatand just never got removed. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rachui, Scott Sent: 04 March 2006 16:50 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] SYSVOL and Junction Points I'm going to ask what may be a dumb question, but I can't find anything on it in the literature. I am trying to get a better understanding of how SYSVOL functions, and I think I've got a pretty decent idea. But when it comes to Junction Points, I'm a bit mystified. I have read the literature, and I understand that junction points are really just pointers to actual directories, rather than directories themselves. I understand that if you look in a junction point, it will appear as a directory but it's content will be the content of the real directory it's pointing to. I understand that the 2 junction points in SYSVOL are: 1. %systemroot%\Sysvol\Sysvol\FQDN of domain pointing to %systemroot%\Sysvol\domain 2. %systemroot%\Sysvol\Staging Areas\FQDN of domain pointing to %systemroot%\Sysvol\Staging\domain What I want to know is why Junction Points are used? I understand, for example, that you want to prevent files being copied when they're open by users. This is the purpose for the staging directory, I believe. I understand that the PreInstall folder is so SYSVOL doesn't copy a file in until it's fully replicated. But I just can't get anyone to tell me why Junction Points are needed in SYSVOL, and what their presence helps to achieve. If you guys have an answer, or can point me to the literature to help figure it out, that would be great. Any information would be much appreciated. Thanks, Scott List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message has been scanned for viruses by MailControl - (see http://bluepages.wsatkins.co.uk/?4318150) This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir. org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] SYSVOL and Junction Points
Junction Points are one implementation of the NTFS technology known as Reparse Points. http://www.pcguide.com/ref/hdd/file/ntfs/filesReparse-c.html neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 06 March 2006 13:20 To: ActiveDir@mail.activedir.org Subject: Fw: [ActiveDir] SYSVOL and Junction Points they are also known as reparse points and ris uses them for the single instance store Original Message From: [EMAIL PROTECTED] Date: 06/03/2006 11:15 To: ActiveDir@mail.activedir.org Subj: RE: [ActiveDir] SYSVOL and Junction Points The same question was asked at an MS seminar I went to about 3 or 4 years ago, and the MS rep explained that he didn't have a firm technical answer either, and that at some early point during the dev of AD, there was an intention to be able to host more than one AD on a DC and that junction points would have been used somehow for thatand just never got removed. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rachui, Scott Sent: 04 March 2006 16:50 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] SYSVOL and Junction Points I'm going to ask what may be a dumb question, but I can't find anything on it in the literature. I am trying to get a better understanding of how SYSVOL functions, and I think I've got a pretty decent idea. But when it comes to Junction Points, I'm a bit mystified. I have read the literature, and I understand that junction points are really just pointers to actual directories, rather than directories themselves. I understand that if you look in a junction point, it will appear as a directory but it's content will be the content of the real directory it's pointing to. I understand that the 2 junction points in SYSVOL are: 1. %systemroot%\Sysvol\Sysvol\FQDN of domain pointing to %systemroot%\Sysvol\domain 2. %systemroot%\Sysvol\Staging Areas\FQDN of domain pointing to %systemroot%\Sysvol\Staging\domain What I want to know is why Junction Points are used? I understand, for example, that you want to prevent files being copied when they're open by users. This is the purpose for the staging directory, I believe. I understand that the PreInstall folder is so SYSVOL doesn't copy a file in until it's fully replicated. But I just can't get anyone to tell me why Junction Points are needed in SYSVOL, and what their presence helps to achieve. If you guys have an answer, or can point me to the literature to help figure it out, that would be great. Any information would be much appreciated. Thanks, Scott List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message has been scanned for viruses by MailControl - (see http://bluepages.wsatkins.co.uk/?4318150) This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir. org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member
[ActiveDir] Recommendations for spam issue
If you were a 20 user non-profit organization that were having a serious problem with SPAM, had an Exchange server in-house but an external internet provider that was "filtering" and forwardingyoure-mail but not doing a good job, what product or solution would you recommend? The problem is valid e-mails are being blocked and SPAM is getting through. Would something like Trend Client Server Security for SMB work well in this situation? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
RE: [ActiveDir] Recommendations for spam issue
Russ, I've used two solutions for this issue, both of which I think turned out well: 1. Astaro Security Linux with mail protection subscription - available either as an appliance or a hardened Linux distro you can install on a decent PC 2. Sunbelt Software's IHATESPAM The 501c(3) I support, with about 15 desktops currently, uses the Astaro appliance solution From: [EMAIL PROTECTED] on behalf of Rimmerman, Russ Sent: Mon 3/6/2006 10:09 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Recommendations for spam issue If you were a 20 user non-profit organization that were having a serious problem with SPAM, had an Exchange server in-house but an external internet provider that was filtering and forwarding your e-mail but not doing a good job, what product or solution would you recommend? The problem is valid e-mails are being blocked and SPAM is getting through. Would something like Trend Client Server Security for SMB work well in this situation? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.winmail.dat
[ActiveDir] Resolving SIDs
I thought I remember seeing something recently about how to build some user information from a SID. Is this possible or am I dreaming? I dont mean resolving the SID against AD, I actually mean taking a lone SID and building some user information based on just the SID. Thanks, Justin Clay ITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
RE: [ActiveDir] Recommendations for spam issue
Are you 2003 and dissatisfied with the IMF? Ive found for small businesses it is extremely effective when loaded with the right RBLs, IP blocks and configured correctly. Bryan Lucas Server Administrator Texas Christian University (817) 257-6971 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Monday, March 06, 2006 9:10 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Recommendations for spam issue If you were a 20 user non-profit organization that were having a serious problem with SPAM, had an Exchange server in-house but an external internet provider that was filtering and forwardingyoure-mail but not doing a good job, what product or solution would you recommend? The problem is valid e-mails are being blocked and SPAM is getting through. Would something like Trend Client Server Security for SMB work well in this situation? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
RE: [ActiveDir] How Secure is a Domain Controller?
Based on the subject of this discussion: if you have those regular users, who can't comprehend or remember a password over 7 characters, signing on to your domain controllers I would say that your domain controllers are VERY not secure. Secondly, if your domain administrators are so lazy as to be using 7 character passwords you are still very insecure. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, March 06, 2006 2:25 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] How Secure is a Domain Controller? The use of 20 char passwords caught my eye. In previous discussions with MS et al, it was suggested that the majority of users would simply repeat a (at most ( 7 char password n times, so as to meet the 20+ char pw policy requirement. As a result, I have heard it suggested that in reality (not theory) a pw policy of more than 7 chars is actually counter productive. [Any pw policy with a multiple of 7 chars being most counter productive.] Food for thought, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-WeidnerSent: 05 March 2006 08:35To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] How Secure is a Domain Controller? I've written down some related thoughts once: http://msmvps.com/blogs/ulfbsimonweidner/archive/2004/10/24/16568.aspx Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of EdwinSent: Sunday, March 05, 2006 4:17 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] How Secure is a Domain Controller? How Secure is a Domain Controller that is fully patched on a default install of Windows 2003? When promoted the domain controller has the two default policies, both of which are recommended not to be modified. But there are things that could be done better for added security. For example, NTLMv2 refuse NTLM and LM. Is it common practice to add additional GPOs to the DC OU? Or is DC protected enough to where all that is needed to worry about are the member machines? If adding additional GPOs to the DC OU, is there anything that should definitely be avoided? Edwin PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
Re: [ActiveDir] Recommendations for spam issue
Non Profit probably means you don't have a huge IT budget. You may want to give SpamBayes a try. The client plug-in does a decent job of filtering spam... and it's free. http://spambayes.sourceforge.net/index.html On 3/6/06, Rimmerman, Russ [EMAIL PROTECTED] wrote: If you were a 20 user non-profit organization that were having a serious problem with SPAM, had an Exchange server in-house but an external internet provider that was filtering and forwardingyoure-mail but not doing a good job, what product or solution would you recommend? The problem is valid e-mails are being blocked and SPAM is getting through. Would something like Trend Client Server Security for SMB work well in this situation? ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system. ~~
RE: [ActiveDir] How Secure is a Domain Controller?
You mis-understand :) Ulf was suggesting that in order to protect the AD data on a poorly protected DC, that strong passwords should be used that are harder to crack. In the event that the disks were compromised, the hacker would not be able to crack a 20 char pw. He does not suggest the use of 20 char passwords to logon to the DC but instead, it is suggested as a way to further protect the AD data, in the event that physical protection is weak. hth, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander KooiSent: 06 March 2006 15:44To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] How Secure is a Domain Controller? Based on the subject of this discussion: if you have those regular users, who can't comprehend or remember a password over 7 characters, signing on to your domain controllers I would say that your domain controllers are VERY not secure. Secondly, if your domain administrators are so lazy as to be using 7 character passwords you are still very insecure. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, March 06, 2006 2:25 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] How Secure is a Domain Controller? The use of 20 char passwords caught my eye. In previous discussions with MS et al, it was suggested that the majority of users would simply repeat a (at most ( 7 char password n times, so as to meet the 20+ char pw policy requirement. As a result, I have heard it suggested that in reality (not theory) a pw policy of more than 7 chars is actually counter productive. [Any pw policy with a multiple of 7 chars being most counter productive.] Food for thought, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-WeidnerSent: 05 March 2006 08:35To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] How Secure is a Domain Controller? I've written down some related thoughts once: http://msmvps.com/blogs/ulfbsimonweidner/archive/2004/10/24/16568.aspx Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of EdwinSent: Sunday, March 05, 2006 4:17 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] How Secure is a Domain Controller? How Secure is a Domain Controller that is fully patched on a default install of Windows 2003? When promoted the domain controller has the two default policies, both of which are recommended not to be modified. But there are things that could be done better for added security. For example, NTLMv2 refuse NTLM and LM. Is it common practice to add additional GPOs to the DC OU? Or is DC protected enough to where all that is needed to worry about are the member machines? If adding additional GPOs to the DC OU, is there anything that should definitely be avoided? Edwin PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent
RE: [ActiveDir] How Secure is a Domain Controller?
I understand/stood what you were saying, just was hoping to bring out a clearer answer for some of the lurker/newbies on the list (of which there are many). And you provided exactly that clarification which was excellent. Thank you. I still personally believe in the statement that if I can touch your server, I own your server. There just is no good technical solution to a physical problem, and it's part of our job responsibility to make that clear to management. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, March 06, 2006 9:52 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] How Secure is a Domain Controller? You mis-understand :) Ulf was suggesting that in order to protect the AD data on a poorly protected DC, that strong passwords should be used that are harder to crack. In the event that the disks were compromised, the hacker would not be able to crack a 20 char pw. He does not suggest the use of 20 char passwords to logon to the DC but instead, it is suggested as a way to further protect the AD data, in the event that physical protection is weak. hth, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander KooiSent: 06 March 2006 15:44To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] How Secure is a Domain Controller? Based on the subject of this discussion: if you have those regular users, who can't comprehend or remember a password over 7 characters, signing on to your domain controllers I would say that your domain controllers are VERY not secure. Secondly, if your domain administrators are so lazy as to be using 7 character passwords you are still very insecure. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, March 06, 2006 2:25 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] How Secure is a Domain Controller? The use of 20 char passwords caught my eye. In previous discussions with MS et al, it was suggested that the majority of users would simply repeat a (at most ( 7 char password n times, so as to meet the 20+ char pw policy requirement. As a result, I have heard it suggested that in reality (not theory) a pw policy of more than 7 chars is actually counter productive. [Any pw policy with a multiple of 7 chars being most counter productive.] Food for thought, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-WeidnerSent: 05 March 2006 08:35To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] How Secure is a Domain Controller? I've written down some related thoughts once: http://msmvps.com/blogs/ulfbsimonweidner/archive/2004/10/24/16568.aspx Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of EdwinSent: Sunday, March 05, 2006 4:17 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] How Secure is a Domain Controller? How Secure is a Domain Controller that is fully patched on a default install of Windows 2003? When promoted the domain controller has the two default policies, both of which are recommended not to be modified. But there are things that could be done better for added security. For example, NTLMv2 refuse NTLM and LM. Is it common practice to add additional GPOs to the DC OU? Or is DC protected enough to where all that is needed to worry about are the member machines? If adding additional GPOs to the DC OU, is there anything that should definitely be avoided? Edwin PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services
Re: [ActiveDir] Recommendations for spam issue
Exchange 2003? The Trend CSM 3 version isn't having a good rep these days in my space. Exchange SP2 includes IMF www.vladville.com click on Articles on how to set it up. www.techsoup.org btw... Rimmerman, Russ wrote: If you were a 20 user non-profit organization that were having a serious problem with SPAM, had an Exchange server in-house but an external internet provider that was filtering and forwarding your e-mail but not doing a good job, what product or solution would you recommend? The problem is valid e-mails are being blocked and SPAM is getting through. Would something like Trend Client Server Security for SMB work well in this situation? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] How Secure is a Domain Controller?
I understand/stood what you were saying, just was hoping to bring out a clearer answer for some of the lurker/newbies on the list (of which there are many). And you provided exactly that clarification which was excellent. Thank you.[Neil Ruston]You're welcome :) I still personally believe in the statement that if I can touch your server, I own your server. There just is no good technical solution to a physical problem, and it's part of our job responsibility to make that clear to management.[Neil Ruston]Sometimes we're forced to make compromises due to management and political pressure. Ulf has written an article which helps to secure the DC if it finds itself physically insecure. Ideally, the DC would not be deployed at all, but the world [of IT] is far from ideal... :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, March 06, 2006 9:52 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] How Secure is a Domain Controller? You mis-understand :) Ulf was suggesting that in order to protect the AD data on a poorly protected DC, that strong passwords should be used that are harder to crack. In the event that the disks were compromised, the hacker would not be able to crack a 20 char pw. He does not suggest the use of 20 char passwords to logon to the DC but instead, it is suggested as a way to further protect the AD data, in the event that physical protection is weak. hth, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander KooiSent: 06 March 2006 15:44To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] How Secure is a Domain Controller? Based on the subject of this discussion: if you have those regular users, who can't comprehend or remember a password over 7 characters, signing on to your domain controllers I would say that your domain controllers are VERY not secure. Secondly, if your domain administrators are so lazy as to be using 7 character passwords you are still very insecure. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, March 06, 2006 2:25 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] How Secure is a Domain Controller? The use of 20 char passwords caught my eye. In previous discussions with MS et al, it was suggested that the majority of users would simply repeat a (at most ( 7 char password n times, so as to meet the 20+ char pw policy requirement. As a result, I have heard it suggested that in reality (not theory) a pw policy of more than 7 chars is actually counter productive. [Any pw policy with a multiple of 7 chars being most counter productive.] Food for thought, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-WeidnerSent: 05 March 2006 08:35To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] How Secure is a Domain Controller? I've written down some related thoughts once: http://msmvps.com/blogs/ulfbsimonweidner/archive/2004/10/24/16568.aspx Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of EdwinSent: Sunday, March 05, 2006 4:17 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] How Secure is a Domain Controller? How Secure is a Domain Controller that is fully patched on a default install of Windows 2003? When promoted the domain controller has the two default policies, both of which are recommended not to be modified. But there are things that could be done better for added security. For example, NTLMv2 refuse NTLM and LM. Is it common practice to add additional GPOs to the DC OU? Or is DC protected enough to where all that is needed to worry about are the member machines? If adding additional GPOs to the DC OU, is there anything that should definitely be avoided? Edwin PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2)
RE: [ActiveDir] How Secure is a Domain Controller?
To add my 2 cents. Add Anti-virus and Anti-Spywear detection. Configure and backup your event logs. At remote sites, I would recommend collecting the event logs on a faster rotation. Add monitoring, You want to monitor account lockout events and have notification when excessive amounts of authentications are occurring. (Tips you off to possible brute force attacks, and up/down situations). Use IPSEC Policies to not allow outside traffic to your DCs. (I havent tried this, but the theory seems pretty solid) Use GPOs to enforce group memberships for EA and Domain Admins. When possible do not have child domains, allows you to use tighter security policies. Enforce all registry changes using GPOs. Things like DNS record weight, fixed ports for NTDS and FRS replication, etc should be set this way to avoid mis-configuration. At a minimum have a MFT backup of the AD system state done at a central site each night. If you should lose objects, etc. Having this will give you options for restore. Not having it youre doomed. Make sure your account policies balance the need to thwart an attack but also consider the potential for brute force and denial of service. You dont want to come in on Monday to 40K of accounts locked out, and everyone waiting for you to unlock them. TBD Todd Myrick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, March 06, 2006 11:23 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How Secure is a Domain Controller? I understand/stood what you were saying, just was hoping to bring out a clearer answer for some of the lurker/newbies on the list (of which there are many). And you provided exactly that clarification which was excellent. Thank you. [Neil Ruston]You're welcome :) I still personally believe in the statement that if I can touch your server, I own your server. There just is no good technical solution to a physical problem, and it's part of our job responsibility to make that clear to management. [Neil Ruston]Sometimes we're forced to make compromises due to management and political pressure. Ulf has written an article which helps to secure the DC if it finds itself physically insecure. Ideally, the DC would not be deployed at all, but the world [of IT] is far from ideal... :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, March 06, 2006 9:52 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How Secure is a Domain Controller? You mis-understand :) Ulf was suggesting that in order to protect the AD data on a poorly protected DC, that strong passwords should be used that are harder to crack. In the event that the disks were compromised, the hacker would not be able to crack a 20 char pw. He does not suggest the use of 20 char passwords to logon to the DC but instead, it is suggested as a way to further protect the AD data, in the event that physical protection is weak. hth, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander Kooi Sent: 06 March 2006 15:44 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How Secure is a Domain Controller? Based on the subject of this discussion: if you have those regular users, who can't comprehend or remember a password over 7 characters, signing on to your domain controllers I would say that your domain controllers are VERY not secure. Secondly, if your domain administrators are so lazy as to be using 7 character passwords you are still very insecure. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, March 06, 2006 2:25 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How Secure is a Domain Controller? The use of 20 char passwords caught my eye. In previous discussions with MS et al, it was suggested that the majority of users would simply repeat a (at most ( 7 char password n times, so as to meet the 20+ char pw policy requirement. As a result, I have heard it suggested that in reality (not theory) a pw policy of more than 7 chars is actually counter productive. [Any pw policy with a multiple of 7 chars being most counter productive.] Food for thought, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: 05 March 2006 08:35 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How Secure is a Domain Controller? I've written down some related thoughts once: http://msmvps.com/blogs/ulfbsimonweidner/archive/2004/10/24/16568.aspx Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL
RE: [ActiveDir] AD Lag Sites
I dont really look at problems from the Trying to Save Money Approach. I try to spend my money and use my time wisely. I base all my value judgments on the following factors. 1. Does it value people? 2. Is it priced acceptably? (I value dominate designs, but also feel that some innovative features are worth more if they offer added value) 3. Is the solution timely? 4. Does the solution offer reproducible results? AD lag site restores seem a little advanced for general operators to be able to perform. To me restore operations are an operator job not an engineers so I want a solution that offers value to operators. The standard Free AD solution to restore objects has a lot of CLI, it doesnt restore all the attributes, it takes more time to implement, it requires a DC be rebooted, it lacks the ability to restore single attributes, and groups. The lag site approach seems okay initially, but it requires more dedicated hardware that has to be maintained, it complicates the AD design in a unnatural way, it requires knowledge of the AD site architecture to properly implement (You have to force replication to the rest of the forest) and takes longer to implement a restore operation (The use might be out in china, where your lag site might be in the UK). For me I wanted the ability to quickly restore objects using a turnkey solution that I can delegate to trusted operators to perform. A dedicated person to do this task would cost about 30 to 40K per year. My base thinking is that would work between 10K to 20K up front, and about 3 to 5% overhead each additional year. I gain the ability to restore all objects and attributes, as well as groups and their memberships. I can restore these objects at the site the user resides, I dont have to reboot a DC to do this operation, and I free up the engineer to be an engineer not an operator. So my priorities are different than yours.. and so are my responsibilities. I dont have to save the company money. Notice I didnt say lag sites dont work, but the number of steps involved to do an authoritative restore compared to using a third-party product designed for the job and the possible end results are akin to shooting a bullet and throwing one. Yeah you probably hit the target both ways. But I think my way is more accurate, has better range, and gets the job done a lot faster and has the potential to be more effective with less skill. Todd Myrick From: Frank Abagnale [mailto:[EMAIL PROTECTED] Sent: Saturday, March 04, 2006 5:47 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Lag Sites Todd, You mentioned 'potentially has the ability to create more problems' Could you outline the problemsthat are on your mind? I see Lag Sites as a solution to save the business money frompurchasing a solution, but I still need to think about business risk if such a solution was to be implemented. Frank Myrick, Todd (NIH/CC/DNA) [E] [EMAIL PROTECTED] wrote: Agreed. Not a big fan of the Lag-Site, I think it potentially has the ability to create more problems. At least MS added some limited functionality in 2003, now if they would just finish the job in Vista this topic might goto rest. (Are you there Stewart?) I do see value in Creative Subnetting, when it comes to establishing multiple sites on a physical network segment to get the KCC to replicate in a more deterministic manner. Fun to do in the classroom too when teaching subnetting. Todd Myrick From: Almeida Pinto, Jorge de [mailto:[EMAIL PROTECTED] Sent: Friday, March 03, 2006 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Lag Sites 7 lag sites? holy sh*t! would it be much cheaper to use a solution that can undelete the deleted objects and restore (push back) the attributes? jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Friday, March 03, 2006 16:59 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Lag Sites As Jorge mentioned you do not have to follow your physical subnets for Lag-Sites. Usually you would use that as a guideline, but for lag-sites you can do a sub-subnetting. AD replication does not care about the physical structure or TCP/IP-Settings (Subnetmask, Def-Gateway) - it just cares what you have configured in the sites, subnets and what IP the DC is using. So you can in a 10.1.x.x network you could configure all servers with 10.1.x.x IP-Adresses with a Subnet-Mask of 255.255.0.0, however you keep all servers in one lagsite in the same virtual subnet 10.1.9.x and all production Servers in 10.1.1.x - 10.1.8.x. Remember that all have the default gateway and subnet mask for 10.1.x.x. But now you create the virtual subnets in AD, and join 10.1.1.x - 10.1.8.x to the production site, and 10.1.9.x to the lag-site.. AD-Replication will do
RE: [ActiveDir] AD Lag Sites
He does NOT have to save the company money, he says. That's MY money you are talking about there, bucko! :) Seriously, Todd, you do have to understand that a vast majority of IT shops don't have budget for their IT folks to be as productive as they desire to be. This is why people tend to be as creative and conservative as possible. They want to stay as native as humanly possible and as painful as the exercise tend to be, they typically can't do anything about it. When management expects you to squeeze water out of rocks, you hardly have much options. The Lag Site concept is not a replacement for specialized recovery solutions. But, the concept came about as a result of people realizing that, much as they like the Quests and Netpros of this world, the steep price associated with them makes those products out of reach. If you've seen the California Cows commercials, you will begin to understand how much people salivate over professional tools. So, what's a poor admin to do? Especially when his/her CIO has just played golf with a buddy who has just read something from, say, Gartner, preaching the benefits of DR, and the CIO now wants DR implemented like, oh, say, one week ago without any additional funding? Lag Sites are NOT as expensive as any of the other options. Where budget constraint is a factor, the Lag Site concept is the next best thing for any AD Admin. The fact that it requires some expertise to successfully implement and utilize IS a big plus rather than a drawback. If you are going to administer any sizeable enterprise where DR is essential, you better start knowing something about the inner workings of the things you are claiming to be administering. Come to think of it, the vendors who market these specialized recovery tools are not engaged in voodoo. By learning how things work, you may not need to pay their protection money any longer. OK, now I've said too much ;) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Myrick, Todd (NIH/CC/DNA) [E] Sent: Mon 3/6/2006 10:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Lag Sites I don't really look at problems from the Trying to Save Money Approach I try to spend my money and use my time wisely. I base all my value judgments on the following factors. 1. Does it value people? 2. Is it priced acceptably? (I value dominate designs, but also feel that some innovative features are worth more if they offer added value) 3. Is the solution timely? 4. Does the solution offer reproducible results? AD lag site restores seem a little advanced for general operators to be able to perform. To me restore operations are an operator job not an engineer's so I want a solution that offers value to operators. The standard Free AD solution to restore objects has a lot of CLI, it doesn't restore all the attributes, it takes more time to implement, it requires a DC be rebooted, it lacks the ability to restore single attributes, and groups. The lag site approach seems okay initially, but it requires more dedicated hardware that has to be maintained, it complicates the AD design in a unnatural way, it requires knowledge of the AD site architecture to properly implement (You have to force replication to the rest of the forest) and takes longer to implement a restore operation... (The use might be out in china, where your lag site might be in the UK). For me I wanted the ability to quickly restore objects using a turnkey solution that I can delegate to trusted operators to perform. A dedicated person to do this task would cost about 30 to 40K per year. My base thinking is that would work between 10K to 20K up front, and about 3 to 5% overhead each additional year. I gain the ability to restore all objects and attributes, as well as groups and their memberships. I can restore these objects at the site the user resides, I don't have to reboot a DC to do this operation, and I free up the engineer to be an engineer not an operator. So my priorities are different than yours. and so are my responsibilities. I don't have to save the company money. Notice I didn't say lag sites don't work, but the number of steps involved to do an authoritative restore compared to using a third-party product designed for the job and the possible end results are akin to shooting a bullet and throwing one. Yeah you probably hit the target both ways But I think my way is more accurate, has better range, and gets the job done a lot faster and has the potential to be more effective with less skill. Todd Myrick From: Frank Abagnale [mailto:[EMAIL PROTECTED] Sent: Saturday, March 04, 2006 5:47 AM To: ActiveDir@mail.activedir.org
RE: [ActiveDir] How Secure is a Domain Controller?
Hi Neil, I think long passwords are primary necessary for priviledged accounts such as domain admins and especially service accounts. Having long, randomly generated passwords is not an issue for service accounts if you have a procedure in place to change them. If you need to provide the password again, you can generate a new one and change it - no need to even store those passwords. For domain admins teach them how to create long passwords - e.g. starting with passphrases would be a start which can be improved with nonsense characters in between to avoid dictionary attacks. I also believe it's a good idea to teach your users as well, but that's mainly internal marketing. Long passwords don't buy you the security that those passwords can not be hacked, however it increases the time the attacker needs to get to the passwords, and buys you time for changing the passwords after a DC has been stolen. Since I'm talking about admin and service-accounts it's not enforceable via GPO - at least not without 3rd party software or a special domain design. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, March 06, 2006 9:25 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] How Secure is a Domain Controller? The use of 20 char passwords caught my eye. In previous discussions with MS et al, it was suggested that the majority of users would simply repeat a (at most ( 7 char password n times, so as to meet the 20+ char pw policy requirement. As a result, I have heard it suggested that in reality (not theory) a pw policy of more than 7 chars is actually counter productive. [Any pw policy with a multiple of 7 chars being most counter productive.] Food for thought, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-WeidnerSent: 05 March 2006 08:35To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] How Secure is a Domain Controller? I've written down some related thoughts once: http://msmvps.com/blogs/ulfbsimonweidner/archive/2004/10/24/16568.aspx Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of EdwinSent: Sunday, March 05, 2006 4:17 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] How Secure is a Domain Controller? How Secure is a Domain Controller that is fully patched on a default install of Windows 2003? When promoted the domain controller has the two default policies, both of which are recommended not to be modified. But there are things that could be done better for added security. For example, NTLMv2 refuse NTLM and LM. Is it common practice to add additional GPOs to the DC OU? Or is DC protected enough to where all that is needed to worry about are the member machines? If adding additional GPOs to the DC OU, is there anything that should definitely be avoided? Edwin PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St
Re: [ActiveDir] How Secure is a Domain Controller?
Question? On a DC ...why do you need anti spyware? If spyware enters via web browsing and email...and IE should never be used/launched on a DC... why do you need it? If the enhanced IE lockdown is still in place that shuts off scripting and what not. Is it on my TS box and all workstations? Yup. On my DC. No. the only site that that box surfs to is Microsoft Update (I mean I don't even go to Joewear on that DC) Why introduce another thing that might introduce new code and new false positives? (see Spybot that flagged Microsoft's remote desktop control for RWW as spyware, see Microsoft's Antispyware that flagged Symantec as a trojan) And if you do a/v ensure that the needed folders and files are excluded (see prior posts in this forum about the KB articles regarding how to set up a/v on a domain controller and Exchange servers) Myrick, Todd (NIH/CC/DNA) [E] wrote: To add my 2 cents. 1. Add Anti-virus and Anti-Spywear detection. 2. Configure and backup your event logs. At remote sites, I would recommend collecting the event logs on a faster rotation. 3. Add monitoring, You want to monitor account lockout events and have notification when excessive amounts of authentications are occurring. (Tips you off to possible brute force attacks, and up/down situations). 4. Use IPSEC Policies to not allow outside traffic to your DC’s. (I haven’t tried this, but the theory seems pretty solid) 5. Use GPO’s to enforce group memberships for EA and Domain Admins. 6. When possible do not have child domains, allows you to use tighter security policies. 7. Enforce all registry changes using GPO’s. Things like DNS record weight, fixed ports for NTDS and FRS replication, etc should be set this way to avoid mis-configuration. 8. At a minimum have a MFT backup of the AD system state done at a central site each night. If you should lose objects, etc. Having this will give you options for restore. Not having it you’re doomed. 9. Make sure your account policies balance the need to thwart an attack but also consider the potential for brute force and denial of service. You don’t want to come in on Monday to 40K of accounts locked out, and everyone waiting for you to unlock them. 10. TBD Todd Myrick *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *Sent:* Monday, March 06, 2006 11:23 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] How Secure is a Domain Controller? I understand/stood what you were saying, just was hoping to bring out a clearer answer for some of the lurker/newbies on the list (of which there are many). And you provided exactly that clarification which was excellent. Thank you. **[Neil Ruston] You're welcome :)** I still personally believe in the statement that if I can touch your server, I own your server. There just is no good technical solution to a physical problem, and it's part of our job responsibility to make that clear to management. **[Neil Ruston] Sometimes we're forced to make compromises due to management and political pressure. Ulf has written an article which helps to secure the DC if it finds itself physically insecure. Ideally, the DC would not be deployed at all, but the world [of IT] is far from ideal... :)** *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of [EMAIL PROTECTED] *Sent:* Monday, March 06, 2006 9:52 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] How Secure is a Domain Controller? You mis-understand :) Ulf was suggesting that in order to protect the AD data on a poorly protected DC, that strong passwords should be used that are harder to crack. In the event that the disks were compromised, the hacker would not be able to crack a 20 char pw. He does not suggest the use of 20 char passwords to logon to the DC but instead, it is suggested as a way to further protect the AD data, in the event that physical protection is weak. hth, neil *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Tim Vander Kooi *Sent:* 06 March 2006 15:44 *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] How Secure is a Domain Controller? Based on the subject of this discussion: if you have those regular users, who can't comprehend or remember a password over 7 characters, signing on to your domain controllers I would say that your domain controllers are VERY not secure. Secondly, if your domain administrators are so lazy as to be using 7 character passwords you are still very insecure. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of [EMAIL PROTECTED]
RE: [ActiveDir] Recommendations for spam issue
CommTouch http://www.commtouch.com/Site/Home/home.asp -Original Message- From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Monday, March 06, 2006 7:10 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Recommendations for spam issue If you were a 20 user non-profit organization that were having a serious problem with SPAM, had an Exchange server in-house but an external internet provider that was filtering and forwardingyoure-mail but not doing a good job, what product or solution would you recommend? The problem is valid e-mails are being blocked and SPAM is getting through. Would something like Trend Client Server Security for SMB work well in this situation? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
[ActiveDir] Can I upgrade/Install IIS6 on windows 2000 advace server.
One of my application required IIS6 (or windows 2003 server) for its functionality. I am running some windows 2000 Server and I need to run this application on these server. Is there any way to upgrade/Install windows 2000 IIS5 to IIS6? Customer do not want to upgrade to windows 2003 right now. Thanks, Manjeet
RE: [ActiveDir] Can I upgrade/Install IIS6 on windows 2000 advace server.
No. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Manjeet Singh Sent: Mon 3/6/2006 11:43 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Can I upgrade/Install IIS6 on windows 2000 advace server. One of my application required IIS6 (or windows 2003 server) for its functionality. I am running some windows 2000 Server and I need to run this application on these server. Is there any way to upgrade/Install windows 2000 IIS5 to IIS6? Customer do not want to upgrade to windows 2003 right now. Thanks, Manjeet List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] AD - What to monitor?
AD Gurus, Can you guys expand on the topic of what should be monitored in AD? and Why? I am talking in terms of Security events only to protect AD and also protect from attacks of any kind. Obviously, one would monitor failed logon, too many accounts creations etc. What else should we monitor? Regards, Adeel List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Resolving SIDs
Justin, The only thing that I can think of is Sidtoname.exe. I dont think that you are looking for this however. Can you expand a little bit more on building user information based on SID? -Adeel -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Clay, Justin (ITS) Sent: Monday, March 06, 2006 9:31 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Resolving SIDs I thought I remember seeing something recently about how to build some user information from a SID. Is this possible or am I dreaming? I don't mean resolving the SID against AD, I actually mean taking a lone SID and building some user information based on just the SID. Thanks, Justin Clay ITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system. attachment: winmail.dat
[ActiveDir] Dynamic Groups
I know you can build a dynamic query based distribution group, but can you do the same for a security group? What is the best way to accomplish making anyone who is in a particular OU a member of a security group on a dynamic basis (scheduled task frequency)? Bryan Lucas Server Administrator Texas Christian University (817) 257-6971
RE: [ActiveDir] Resolving SIDs
Adeel, I was thinking that I read that without the account database, you could actually gain some information from the SID, using a formula of some type. I dont know if thats actually possible or not. I might have made it up in a dream. Thanks for the info on sidtoname.exe, that might not help here, but I can see it being useful in the future. Thanks, Justin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adeel Ansari Sent: Monday, March 06, 2006 2:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Resolving SIDs Justin, The only thing that I can think of is Sidtoname.exe. I dont think that you are looking for this however. Can you expand a little bit more on building user information based on SID? -Adeel -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Clay, Justin (ITS) Sent: Monday, March 06, 2006 9:31 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Resolving SIDs I thought I remember seeing something recently about how to build some user information from a SID. Is this possible or am I dreaming? I dont mean resolving the SID against AD, I actually mean taking a lone SID and building some user information based on just the SID. Thanks, Justin Clay ITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system. ITS ENTERPRISE SERVICES EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
RE: [ActiveDir] Dynamic Groups
Bryan- Just write a script which runs as a scheduled task which enumerates all the users in an OU and checks that theyre a member of the group. Youll also need to remove users who dont belong in there anymore. Depending on the scale of your AD deployment (in terms of number of DCs and links between them) it may just be easier for you to clear out the group and repopulate it. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan Sent: Monday, March 06, 2006 3:06 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Dynamic Groups I know you can build a dynamic query based distribution group, but can you do the same for a security group? What is the best way to accomplish making anyone who is in a particular OU a member of a security group on a dynamic basis (scheduled task frequency)? Bryan Lucas Server Administrator Texas Christian University (817) 257-6971
RE: [ActiveDir] Recommendations for spam issue
As you can see from the responses, you have lot of options. It just depends on your budget, time (setup administration), and expertise which one is the best bet for you. Alex Alborzfard From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Monday, March 06, 2006 10:10 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Recommendations for spam issue If you were a 20 user non-profit organization that were having a serious problem with SPAM, had an Exchange server in-house but an external internet provider that was filtering and forwardingyoure-mail but not doing a good job, what product or solution would you recommend? The problem is valid e-mails are being blocked and SPAM is getting through. Would something like Trend Client Server Security for SMB work well in this situation? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
RE: [ActiveDir] Dynamic Groups
And keep in mind that it only works when users are logging off and on (at least for domain groups) so that the token is recreated - so running it multiple times a day is propably not practical. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Monday, March 06, 2006 9:29 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Dynamic Groups Bryan- Just write a script which runs as a scheduled task which enumerates all the users in an OU and checks that theyre a member of the group. Youll also need to remove users who dont belong in there anymore. Depending on the scale of your AD deployment (in terms of number of DCs and links between them) it may just be easier for you to clear out the group and repopulate it. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, BryanSent: Monday, March 06, 2006 3:06 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Dynamic Groups I know you can build a dynamic query based distribution group, but can you do the same for a security group? What is the best way to accomplish making anyone who is in a particular OU a member of a security group on a dynamic basis (scheduled task frequency)? Bryan Lucas Server Administrator Texas Christian University (817) 257-6971
RE: [ActiveDir] Resolving SIDs
The SID is only a number which isissued on each DC to new security principles by first comes first serves, so if you create two users on the same DC you propably have two following SIDs. There's nothing encrypted or magic into the SID, so there are no more informations you can get just out of the SID without resolving it to the domain. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS)Sent: Monday, March 06, 2006 9:26 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Resolving SIDs Adeel, I was thinking that I read that without the account database, you could actually gain some information from the SID, using a formula of some type. I dont know if thats actually possible or not. I might have made it up in a dream. Thanks for the info on sidtoname.exe, that might not help here, but I can see it being useful in the future. Thanks, Justin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adeel AnsariSent: Monday, March 06, 2006 2:04 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Resolving SIDs Justin, The only thing that I can think of is Sidtoname.exe. I dont think that you are looking for this however. Can you expand a little bit more on building user information based on SID? -Adeel -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Clay, Justin (ITS)Sent: Monday, March 06, 2006 9:31 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Resolving SIDs I thought I remember seeing something recently about how to build some user information from a SID. Is this possible or am I dreaming? I dont mean resolving the SID against AD, I actually mean taking a lone SID and building some user information based on just the SID. Thanks, Justin ClayITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICEThe information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system. ITS ENTERPRISE SERVICES EMAIL NOTICEThe information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
RE: [ActiveDir] Photos in AD
Im thinking about security privacy concerns. Theres already a lot of personal information in the directory, much of it viewable by anybody. Add a photo and viola: instant ability to make a photo ID. Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Saturday, March 04, 2006 3:02 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Photos in AD most secure way is simply to remove any write-permissions for SELF on user objects. This is best done prior to user creation by changing the default security descriptor of the user-class object in the schema - otherwise you're going to have to script the removal from all users since the permission is added explicitely to the ACL of every user object. Users can still logon normally and change their PW since that right is granted by default to the Everyone well-known-security principal anyways (changing a PW requires that you know the current PW - this is not to be confused with a permission to reset a PW, which is typically granted to delegated admins, but not to normal users). If you then have a need for users to update specific attributes, you can more easily achieve this by granting the required permissions to the users via inheritance at the OU level. Another option - as suggested below - is to remove the more risky attributes from the respective default property set (not possible in Win2). This would directly impact permissions for all users (or any object that leverages the respective propery set). As such the change of a property set is risky itself, but if tested and documented well, it can be a helpful means to secure an existing AD. For example, I'd consider removing the thumbnail photo from the Personal Information property set a sensible thing (only required if you haven't removed the write permissions for SELF on user objects via other means as described above). Back to the original question, if it makes sense to store photos in AD. Leaving the security thought asside and assuming you've ensured that users can't do this themselves, I'd say that this could even be useful for small AD environments. But what is small? Well, I don't consider a multi-domain AD 100K as small. Adding real photo data into this AD will considerable impact DIT size and memory requirements to allow good query performance of AD, bandwidth requirements for replication,backup and recovery times as well as promotion times for new DCs. While I'm sure AD can handle it (even in memory once you upgrade to 64bit DCs and add sufficient memory), I can certainly not recommend it. I am not aware of a single AD of this size that leverages the storage of photo-data in AD - instead, as mentioned before,I'd add a link to the photos on another store. Ofcourse the link could be replicated to the GC and be available wherever. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V Contractor NASIC/SCNA Sent: Donnerstag, 2. März 2006 14:42 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Photos in AD Arethere any Best Practices whitepapers out there on the recommended default property sets for a secure AD? It sounds like this ability could seriously hindersome infrastructures running AD. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mr Oteece Sent: Wednesday, March 01, 2006 8:56 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Photos in AD Storage of photos in AD using jpegPhoto or thumbnailPhoto - yay or nay? Ichecked the archives on this and didn't see too much there beyond Guido saying don't do it. To quote: [Grillenmeier, Guido Tue, 14 Dec 2004 12:35:42 -0800 that's likely the photo or the thumbnailPhoto attribute (both octet strings) - best way to kill your AD. There are a couple of tools out there that allow uploading a user's photo to this attribute... The downside: every user has the right to do so on his own account (via the SELF security principal and the permissions granted to it with the PersonalInformation property set). I can only recommend to take these permissions away (possible in 2k3 to remove unwanted attributes from the default property sets). a link would certainly be better - I don't think there's a default attribute for this - you might want to introduce a new attribute to your schema. /Guido] I actually didn't see the jpegPhoto attribute in the Personal-Information attribute set (http://msdn.microsoft.com/library/default.asp?url="" ). Regardless, our users do not have the ability to update any of the photo attributes. So beyond DoS issues with users being able to upload large files into AD, what are the potential issues with
Re: [ActiveDir] AD - What to monitor?
You may want to start by looking at some commercial products and see what functions they perform and what they monitor. NetPro's Change Auditor is great, and the MOM AD MP (entire Technical Guide is available) would be two nice starting points. If I remember correctly, NetPro also has an AD Health product. If you don't want to pay, then you can start scripting based upon what you see common among all of the commercial products available. Ryan On 3/6/06, Adeel Ansari [EMAIL PROTECTED] wrote: AD Gurus,Can you guys expand on the topic of what should be monitored in AD? and Why?I am talking in terms of Security events only to protect AD and also protect from attacks of any kind.Obviously, one would monitor failed logon, too many accounts creations etc.What else should we monitor?Regards,AdeelList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] How Secure is a Domain Controller?
Okay for you Susan, I will modify my statement... Add IPsec filter that only allows http traffic to update.microsoft.com. Also, in the future MS will probably bake in the spyware service into the product, so it will be there anyway. I think I helped flush out the KB article on AV way back. Todd From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [mailto:[EMAIL PROTECTED] Sent: Mon 3/6/2006 2:27 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] How Secure is a Domain Controller? Question? On a DC ...why do you need anti spyware? If spyware enters via web browsing and email...and IE should never be used/launched on a DC... why do you need it? If the enhanced IE lockdown is still in place that shuts off scripting and what not. Is it on my TS box and all workstations? Yup. On my DC. No. the only site that that box surfs to is Microsoft Update (I mean I don't even go to Joewear on that DC) Why introduce another thing that might introduce new code and new false positives? (see Spybot that flagged Microsoft's remote desktop control for RWW as spyware, see Microsoft's Antispyware that flagged Symantec as a trojan) And if you do a/v ensure that the needed folders and files are excluded (see prior posts in this forum about the KB articles regarding how to set up a/v on a domain controller and Exchange servers) Myrick, Todd (NIH/CC/DNA) [E] wrote: To add my 2 cents. 1. Add Anti-virus and Anti-Spywear detection. 2. Configure and backup your event logs. At remote sites, I would recommend collecting the event logs on a faster rotation. 3. Add monitoring, You want to monitor account lockout events and have notification when excessive amounts of authentications are occurring. (Tips you off to possible brute force attacks, and up/down situations). 4. Use IPSEC Policies to not allow outside traffic to your DC's. (I haven't tried this, but the theory seems pretty solid) 5. Use GPO's to enforce group memberships for EA and Domain Admins. 6. When possible do not have child domains, allows you to use tighter security policies. 7. Enforce all registry changes using GPO's. Things like DNS record weight, fixed ports for NTDS and FRS replication, etc should be set this way to avoid mis-configuration. 8. At a minimum have a MFT backup of the AD system state done at a central site each night. If you should lose objects, etc. Having this will give you options for restore. Not having it you're doomed. 9. Make sure your account policies balance the need to thwart an attack but also consider the potential for brute force and denial of service. You don't want to come in on Monday to 40K of accounts locked out, and everyone waiting for you to unlock them. 10. TBD Todd Myrick *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *Sent:* Monday, March 06, 2006 11:23 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] How Secure is a Domain Controller? I understand/stood what you were saying, just was hoping to bring out a clearer answer for some of the lurker/newbies on the list (of which there are many). And you provided exactly that clarification which was excellent. Thank you. **[Neil Ruston] You're welcome :)** I still personally believe in the statement that if I can touch your server, I own your server. There just is no good technical solution to a physical problem, and it's part of our job responsibility to make that clear to management. **[Neil Ruston] Sometimes we're forced to make compromises due to management and political pressure. Ulf has written an article which helps to secure the DC if it finds itself physically insecure. Ideally, the DC would not be deployed at all, but the world [of IT] is far from ideal... :)** *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of [EMAIL PROTECTED] *Sent:* Monday, March 06, 2006 9:52 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] How Secure is a Domain Controller? You mis-understand :) Ulf was suggesting that in order to protect the AD data on a poorly protected DC, that strong passwords should be used that are harder to crack. In the event that the disks were compromised, the hacker would not be able to crack a 20 char pw. He does not suggest the use of 20 char passwords to logon to the DC but instead, it is suggested as a way to further protect the AD data, in the event that physical protection is weak. hth, neil *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Tim Vander Kooi *Sent:* 06 March 2006 15:44 *To:* ActiveDir@mail.activedir.org *Subject:* RE:
Re: [ActiveDir] OT : Query DNS using wildcards?
Hi Al, Thanks for your answer. It's not zone transfers I'm looking for, but your answer nevertheless pointed me towards another road with a lot of thoughts! We are used to register DNS records manually by script. All other records are added manually. When a server is at the end of it's life, we clean all it's registrations. In case of a cluster, including all records for it's cluster resources. As this process is totally manually and there are some with quiet a lot of records pointing to cluster resources, we're looking for a way to query the DNS server to retrieve all records related to that server/cluster and then delete them. Additionally a lot of servers/clusters are being powered off some week already before we format them and unregister everything in our environment. This is mostly the case for migrations so that the owners are sure they haven't forgotten a little thing ;-) Currently we have to boot the server again to have a script running locally to retrieve IP's and names registered in the DNS. If we should have a workaround, we don't need to this anymore and we just break the array, run a script that looks everything up and removes the registrations. I'm having already a small idea of a way to perform the check, although not ideal. Extracting the zones to a .txt file which a script can loop through searching for certain strings. Ideal solution would be to look for server* records and delete them as they are being found. But as already indicated by other people, this is not available... At least not to our knowledge. Another possible to solution is to review the DNS infrastructure, like for example aging. But, and it's not my choice, I have nothing to see with that part... Although I'm trying to find out if there is nobody interested in adapting the DNS infra to make my life easier, but that rather working on the political road ;-) I could understand that it doesn't make a lot of sense, but that's the way of working at this moment. And I have to deal with it and try handle it the best possible way. So in short: looking for a way to retrieve all records like *string* in DNS so I can remove them all and keep the DNS tidy... Best regards, Bart On 3/5/06, Al Mulnick [EMAIL PROTECTED] wrote: It sounds like what you really want is to move those records to another server. I don't recall if this is AD integrated or not, and if so, what the scope of those records is set to. However, setting up a second server and using zone transfer to that server (for backup purposes) is one way to get all of the records in the zones into text files. You could also use WMI scripts/programs to cull that information or you could realize that if it is AD integrated that data exists elsewhere and that copying it off is not what you want to do. One other method, which is very much azone transfer is to use the nslookup ls -d zonename command which puts that information to std i/o. Using dnscmd would be able to gather that information as would a backup (either AD based (see above if that's what you need) or server file based. If not AD-Integrated, you could just copy the zone files :) Am I missing something you need to do? Al On 3/2/06, Bart Van den Wyngaert [EMAIL PROTECTED] wrote: Well I kind of need a DNS query. We used to register our DNS records manually and also remove them. But in case the server is at the end of it's lifecycle, we shut it down for some weeks (in case of migration scenario) and then remove all it's registrations. We're looking into a way that we don't need to power on the server again, but still are able to remove all DNS registrations (server itself, cluster resources, ...). So it would be like a DNS query... But if there is something in AD that we can use as reference... Something like an LDAP query for AD, but then on DNS seems like the best description. Also there is a part that is always related to the server, but there are extensions (ex. cluster resources), that's why I started talking about wildcards... I'll have a look into the dsquery tool you mentioned, as I'm not familiar with that tool I'll get back to you. Many thanks, Bart On 3/1/06, Ulf B. Simon-Weidner [EMAIL PROTECTED] wrote: Very true point - as long as you don't need it to be a DNS-Query you can use dsquery or admod to query for the dnsNode-Objects in the container hosting the DNS-Zones (out of my head since none of my test-dcs is currenty running: cn=MicrosoftDNS,cn=system,dc=xxx where xxx is either the domain or the application partition). However keep in mind that those LDAP-Queries are getting expensive when not querying all of them but specific and the wildcard is in front - e.g. querying at *.domain.com is heavy on the server, server01.* would be OK. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:
RE: [ActiveDir] AD - What to monitor?
Things I like to know about. Administration Events OU creations/deletions/mods Critical Security Group Modifications GPO Creation/deletion/mods and Linking Domain Administrator Logins and from where Password changes on critical accounts Domain Activities Got one word for you Replication! AD's go bad when replication is out of whack... In my experience when it comes to replication you need to monitor both the Event Logs, but also the ports. Also if a firewall goes anywhere between two replication partners, you then have to start to consider UDP fragmentation which manifest itself as broken trust and bad authentication attempts. As for events, well the security event logs are a maze of Event ID's that I just rather not dig into unless I am required. Both Quest and Netpro (probably NetIQ, MOM and some other tools out there I haven't evaluated as well) have some nice tools that make monitoring the security event logs a lot nicer. I currently use Quest Intrust and Intrust for AD. The nice thing about the AD product is that it creates a nice little Event Log for administration and logs those activities separately. The put a hook into the LDAP service that intercepts the LDAP calls and logs them. There are some KB articles out there that list several of the events. As one person suggest, reviewing Netpro, Quest, NetIQ's and HPs stuff also helps get an idea. MoM also has some pretty slick admin packs that might be informative, but I see Mom more as a Big Picture Up/Down monitor, there is still a lot of value in Third-Party add-ons since most of these products offer add-ons to MoM as part of their features. Todd From: Ryan A. Conrad [mailto:[EMAIL PROTECTED] Sent: Mon 3/6/2006 4:01 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD - What to monitor? You may want to start by looking at some commercial products and see what functions they perform and what they monitor. NetPro's Change Auditor is great, and the MOM AD MP (entire Technical Guide is available) would be two nice starting points. If I remember correctly, NetPro also has an AD Health product. If you don't want to pay, then you can start scripting based upon what you see common among all of the commercial products available. Ryan On 3/6/06, Adeel Ansari [EMAIL PROTECTED] wrote: AD Gurus, Can you guys expand on the topic of what should be monitored in AD? and Why? I am talking in terms of Security events only to protect AD and also protect from attacks of any kind. Obviously, one would monitor failed logon, too many accounts creations etc. What else should we monitor? Regards, Adeel List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Lag Sites
I also said, I have to spend my time and money wisely. I am well aware of why people use lag-sites. They always like to throw the money issue around... but I wonder what the TCO is really. Maybe these major AD DR players should commission a study heck maybe MSFT should for both AD and Exchange Mailboxes. I think you would do better to encourage new Admins to make sure they do a MFT backup of a domain controllers system state each night, then stand-up more sites and servers. Then based on need select the restore method and evaluate the results. I agree knowing how all the inner workings does help as well, but operations people are usually not engineers, so it is best to give them tools that have some workflow, and makes the operation smooth and less error prone. Thanks again, Todd From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Mon 3/6/2006 2:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Lag Sites He does NOT have to save the company money, he says. That's MY money you are talking about there, bucko! :) Seriously, Todd, you do have to understand that a vast majority of IT shops don't have budget for their IT folks to be as productive as they desire to be. This is why people tend to be as creative and conservative as possible. They want to stay as native as humanly possible and as painful as the exercise tend to be, they typically can't do anything about it. When management expects you to squeeze water out of rocks, you hardly have much options. The Lag Site concept is not a replacement for specialized recovery solutions. But, the concept came about as a result of people realizing that, much as they like the Quests and Netpros of this world, the steep price associated with them makes those products out of reach. If you've seen the California Cows commercials, you will begin to understand how much people salivate over professional tools. So, what's a poor admin to do? Especially when his/her CIO has just played golf with a buddy who has just read something from, say, Gartner, preaching the benefits of DR, and the CIO now wants DR implemented like, oh, say, one week ago without any additional funding? Lag Sites are NOT as expensive as any of the other options. Where budget constraint is a factor, the Lag Site concept is the next best thing for any AD Admin. The fact that it requires some expertise to successfully implement and utilize IS a big plus rather than a drawback. If you are going to administer any sizeable enterprise where DR is essential, you better start knowing something about the inner workings of the things you are claiming to be administering. Come to think of it, the vendors who market these specialized recovery tools are not engaged in voodoo. By learning how things work, you may not need to pay their protection money any longer. OK, now I've said too much ;) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Myrick, Todd (NIH/CC/DNA) [E] Sent: Mon 3/6/2006 10:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Lag Sites I don't really look at problems from the Trying to Save Money Approach I try to spend my money and use my time wisely. I base all my value judgments on the following factors. 1. Does it value people? 2. Is it priced acceptably? (I value dominate designs, but also feel that some innovative features are worth more if they offer added value) 3. Is the solution timely? 4. Does the solution offer reproducible results? AD lag site restores seem a little advanced for general operators to be able to perform. To me restore operations are an operator job not an engineer's so I want a solution that offers value to operators. The standard Free AD solution to restore objects has a lot of CLI, it doesn't restore all the attributes, it takes more time to implement, it requires a DC be rebooted, it lacks the ability to restore single attributes, and groups. The lag site approach seems okay initially, but it requires more dedicated hardware that has to be maintained, it complicates the AD design in a unnatural way, it requires knowledge of the AD site architecture to properly implement (You have to force replication to the rest of the forest) and takes longer to implement a restore operation... (The use might be out in china, where your lag site might be in the UK). For me I wanted the ability to quickly restore objects using a turnkey solution that I can delegate to trusted operators to perform. A dedicated person to do this task would cost about 30 to 40K per year. My base thinking is that would work between 10K to 20K up front, and about 3 to 5% overhead each additional year. I gain the ability to restore all
RE: [ActiveDir] OT : Query DNS using wildcards?
Extracting the zones to a .txt file which a script can loop through searching for certain strings. Ideal solution would be to look for server* records and delete them as they are being found. But as already indicated by other people, this is not available.. Why not? If it's a standard zone, you could just read the zone file, using filesystemobject, do a Readline, and if you see servername in the line, delete the line. Or did I misread you? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Bart Van den Wyngaert Sent: Mon 3/6/2006 3:07 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT : Query DNS using wildcards? Hi Al, Thanks for your answer. It's not zone transfers I'm looking for, but your answer nevertheless pointed me towards another road with a lot of thoughts! We are used to register DNS records manually by script. All other records are added manually. When a server is at the end of it's life, we clean all it's registrations. In case of a cluster, including all records for it's cluster resources. As this process is totally manually and there are some with quiet a lot of records pointing to cluster resources, we're looking for a way to query the DNS server to retrieve all records related to that server/cluster and then delete them. Additionally a lot of servers/clusters are being powered off some week already before we format them and unregister everything in our environment. This is mostly the case for migrations so that the owners are sure they haven't forgotten a little thing ;-) Currently we have to boot the server again to have a script running locally to retrieve IP's and names registered in the DNS. If we should have a workaround, we don't need to this anymore and we just break the array, run a script that looks everything up and removes the registrations. I'm having already a small idea of a way to perform the check, although not ideal. Extracting the zones to a .txt file which a script can loop through searching for certain strings. Ideal solution would be to look for server* records and delete them as they are being found. But as already indicated by other people, this is not available... At least not to our knowledge. Another possible to solution is to review the DNS infrastructure, like for example aging. But, and it's not my choice, I have nothing to see with that part... Although I'm trying to find out if there is nobody interested in adapting the DNS infra to make my life easier, but that rather working on the political road ;-) I could understand that it doesn't make a lot of sense, but that's the way of working at this moment. And I have to deal with it and try handle it the best possible way. So in short: looking for a way to retrieve all records like *string* in DNS so I can remove them all and keep the DNS tidy... Best regards, Bart On 3/5/06, Al Mulnick [EMAIL PROTECTED] wrote: It sounds like what you really want is to move those records to another server. I don't recall if this is AD integrated or not, and if so, what the scope of those records is set to. However, setting up a second server and using zone transfer to that server (for backup purposes) is one way to get all of the records in the zones into text files. You could also use WMI scripts/programs to cull that information or you could realize that if it is AD integrated that data exists elsewhere and that copying it off is not what you want to do. One other method, which is very much a zone transfer is to use the nslookup ls -d zonename command which puts that information to std i/o. Using dnscmd would be able to gather that information as would a backup (either AD based (see above if that's what you need) or server file based. If not AD-Integrated, you could just copy the zone files :) Am I missing something you need to do? Al On 3/2/06, Bart Van den Wyngaert [EMAIL PROTECTED] wrote: Well I kind of need a DNS query. We used to register our DNS records manually and also remove them. But in case the server is at the end of it's lifecycle, we shut it down for some weeks (in case of migration scenario) and then remove all it's registrations. We're looking into a way that we don't need to power on the server again, but still are able to remove all DNS registrations (server itself, cluster resources, ...). So it would be like a DNS query... But if there is something in AD that we can use as reference... Something like an LDAP query for AD, but then on DNS seems like the best description. Also there is a part that is always related to the server, but there are extensions
RE: [ActiveDir] AD - What to monitor?
Depends upon what you're organization's security/compliance requirements are but here are some things to think about: --excessive failed logons, password changes --account policy changes --changes to AD configuration objects (e.g. creation/deletion of sites, site links, AD-integrated DNS zones, schema object mods., FSMO role changes ) --changes to key AD group memberships (e.g. Domain Admins, Enterprise Admins.) or service accounts --changes to key Group Policies --changes to key attributes (e.g. department, phone number, ManagedBy) There's probably a longer list but those are just some that come to mind right away. Depending upon the objects being monitored, and your needs, the native security logs may/may not provide the data you need. In that case, 3rd party tools like those from NetPro, Quest, NetIQ may make sense. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adeel Ansari Sent: Monday, March 06, 2006 9:01 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD - What to monitor? AD Gurus, Can you guys expand on the topic of what should be monitored in AD? and Why? I am talking in terms of Security events only to protect AD and also protect from attacks of any kind. Obviously, one would monitor failed logon, too many accounts creations etc. What else should we monitor? Regards, Adeel List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] There must be an easier way...
Hello, colleagues, A client that we had set up as a site within our domain with its own pair of DC's has decided to break off from us, get their own ISP, and cut the network cable between us. In fact, they've done that last weekend. Now, the Directory Service event log on one of our DC's is spewing out 21 warning and error messages every 15 minutes, all related to the fact that there are no available DC's in that site. Doing a Google search, I found this article http://support.microsoft.com/?kbid=216498 which describes at least 20 steps that must be taken to remove a DC following an unsuccessful DC demotion. Which, I suppose, is what I would have done had I had the opportunity to demote the DC's before this client cut the line. The article also has this warning: Caution The administrator must also make sure that replication has occurred since the demotion before manually removing the NTDS Settings object for any server. Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality. Being a relative newbie to Active Directory management (but, just emerging from a pair of classes), I have to ask if there is an easier way to do this? We have about 800 users and 4 corporations on this wire, and they might get a bit testy if their computers stopped working all of a sudden! -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Photos in AD
How would it do anyone any good to make an ID with my photo on it? Wouldn't it be better for them to make the ID with my info THEIR photo, if it's identity theft they're after? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, March 06, 2006 2:01 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Photos in AD Im thinking about security privacy concerns. Theres already a lot of personal information in the directory, much of it viewable by anybody. Add a photo and viola: instant ability to make a photo ID. Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Saturday, March 04, 2006 3:02 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Photos in AD most secure way is simply to remove any write-permissions for SELF on user objects. This is best done prior to user creation by changing the default security descriptor of the user-class object in the schema - otherwise you're going to have to script the removal from all users since the permission is added explicitely to the ACL of every user object. Users can still logon normally and change their PW since that right is granted by default to the Everyone well-known-security principal anyways (changing a PW requires that you know the current PW - this is not to be confused with a permission to "reset" a PW, which is typically granted to delegated admins, but not to normal users). If you then have a need for users to update specific attributes, you can more easily achieve this by granting the required permissions to the users via inheritance at the OU level. Another option - as suggested below - is to remove the more "risky" attributes from the respective default property set (not possible in Win2). This would directly impact permissions for all users (or any object that leverages the respective propery set). As such the change of a property set is risky itself, but if tested and documented well, it can be a helpful means to secure an existing AD. For example, I'd consider removing the thumbnail photo from the "Personal Information" property set a sensible thing (only required if you haven't removed the write permissions for SELF on user objects via other means as described above). Back to the original question, if it makes sense to store photos in AD. Leaving the security thought asside and assuming you've ensured that users can't do this themselves, I'd say that this could even be useful for small AD environments. But what is small? Well, I don't consider a multi-domain AD 100K as small. Adding real photo data into this AD will considerable impact DIT size and memory requirements to allow good query performance of AD, bandwidth requirements for replication,backup and recovery times as well as promotion times for new DCs. While I'm sure AD can handle it (even in memory once you upgrade to 64bit DCs and add sufficient memory), I can certainly not recommend it. I am not aware of a single AD of this size that leverages the storage of photo-data in AD - instead, as mentioned before,I'd add a link to the photos on another store. Ofcourse the link could be replicated to the GC and be available wherever. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V Contractor NASIC/SCNASent: Donnerstag, 2. März 2006 14:42To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Photos in AD Arethere any Best Practices whitepapers out there on the recommended default property sets for a secure AD? It sounds like this ability could seriously hindersome infrastructures running AD. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mr OteeceSent: Wednesday, March 01, 2006 8:56 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Photos in AD Storage of photos in AD using jpegPhoto or thumbnailPhoto - yay or nay? Ichecked the archives on this and didn't see too much there beyond Guido saying "don't do it". To quote: [Grillenmeier, GuidoTue, 14 Dec 2004 12:35:42 -0800 that's likely the photo or the thumbnailPhoto attribute (both octet strings) - best way to kill your AD. There are a couple of tools out there that allow uploading a user's photo to this attribute... The downside: every user has the right to do so on his own account (via the SELF security principal and the permissions granted to it with the PersonalInformation property set). I can only recommend to take these permissions away (possible in 2k3 to remove unwanted attributes from the default property sets). a link would certainly be better - I don't think there's a default attribute for this - you might want to introduce a new attribute to your schema./Guido] I
RE: [ActiveDir] There must be an easier way...
That is interesting Who established the forest? Cause if it was them, they have issues. If it was you all, then just do a AD Clean-up operation and remove the domain and domain controllers from your directory. Also be prepared to hear from them soon... :) Todd Myrick From: Larry Wahlers [mailto:[EMAIL PROTECTED] Sent: Mon 3/6/2006 7:17 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] There must be an easier way... Hello, colleagues, A client that we had set up as a site within our domain with its own pair of DC's has decided to break off from us, get their own ISP, and cut the network cable between us. In fact, they've done that last weekend. Now, the Directory Service event log on one of our DC's is spewing out 21 warning and error messages every 15 minutes, all related to the fact that there are no available DC's in that site. Doing a Google search, I found this article http://support.microsoft.com/?kbid=216498 which describes at least 20 steps that must be taken to remove a DC following an unsuccessful DC demotion. Which, I suppose, is what I would have done had I had the opportunity to demote the DC's before this client cut the line. The article also has this warning: Caution The administrator must also make sure that replication has occurred since the demotion before manually removing the NTDS Settings object for any server. Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality. Being a relative newbie to Active Directory management (but, just emerging from a pair of classes), I have to ask if there is an easier way to do this? We have about 800 users and 4 corporations on this wire, and they might get a bit testy if their computers stopped working all of a sudden! -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] There must be an easier way...
Larry- Just follow the steps and remove the two DCs that were offsite. Wait for replication internally and delete the site/subnet. All done. I suggest you reset all passwords for sensitive accounts or even better expire every password in the domain. Your client can obtain these if they're industrious and it sounds like you left on a bad note. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Monday, March 06, 2006 7:17 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] There must be an easier way... Hello, colleagues, A client that we had set up as a site within our domain with its own pair of DC's has decided to break off from us, get their own ISP, and cut the network cable between us. In fact, they've done that last weekend. Now, the Directory Service event log on one of our DC's is spewing out 21 warning and error messages every 15 minutes, all related to the fact that there are no available DC's in that site. Doing a Google search, I found this article http://support.microsoft.com/?kbid=216498 which describes at least 20 steps that must be taken to remove a DC following an unsuccessful DC demotion. Which, I suppose, is what I would have done had I had the opportunity to demote the DC's before this client cut the line. The article also has this warning: Caution The administrator must also make sure that replication has occurred since the demotion before manually removing the NTDS Settings object for any server. Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality. Being a relative newbie to Active Directory management (but, just emerging from a pair of classes), I have to ask if there is an easier way to do this? We have about 800 users and 4 corporations on this wire, and they might get a bit testy if their computers stopped working all of a sudden! -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] There must be an easier way...
Brian, I never did this, but I guess I should try it if one domain tree established the forest, another domain tree is added, but then the initial tree is removed won't that cause problems for the other domain tree, even if they clean up the forest and seize the FSMO roles. The schema and configuration containers will reflect the naming context of the root forest. Also that is where the enterprise roles will exist. I think the only thing the non-root can do is reinstall the Forest, while the forest root can just do the clean-up. Todd Myrick From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: Mon 3/6/2006 7:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] There must be an easier way... Larry- Just follow the steps and remove the two DCs that were offsite. Wait for replication internally and delete the site/subnet. All done. I suggest you reset all passwords for sensitive accounts or even better expire every password in the domain. Your client can obtain these if they're industrious and it sounds like you left on a bad note. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Monday, March 06, 2006 7:17 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] There must be an easier way... Hello, colleagues, A client that we had set up as a site within our domain with its own pair of DC's has decided to break off from us, get their own ISP, and cut the network cable between us. In fact, they've done that last weekend. Now, the Directory Service event log on one of our DC's is spewing out 21 warning and error messages every 15 minutes, all related to the fact that there are no available DC's in that site. Doing a Google search, I found this article http://support.microsoft.com/?kbid=216498 which describes at least 20 steps that must be taken to remove a DC following an unsuccessful DC demotion. Which, I suppose, is what I would have done had I had the opportunity to demote the DC's before this client cut the line. The article also has this warning: Caution The administrator must also make sure that replication has occurred since the demotion before manually removing the NTDS Settings object for any server. Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality. Being a relative newbie to Active Directory management (but, just emerging from a pair of classes), I have to ask if there is an easier way to do this? We have about 800 users and 4 corporations on this wire, and they might get a bit testy if their computers stopped working all of a sudden! -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] There must be an easier way...
Hello Larry, Unfortunately there is no way around doing a metadata cleanup against those 2 DCs that have been removed from your domain and are not going to come back. You would want to figure out the machines in that particular subnet where the 2 DCs were, have connectivity to an existing and functional DC to be able to logon to the domain. Also, from your description, it seems that atleast 1 DC which is giving the error, is part of that domain from which the 2 DCs were yanked off. If there are more DCs, and are set to replicate with either of the 2, they will also give replication errors unless a metadata has been performed. On 3/6/06, Larry Wahlers [EMAIL PROTECTED] wrote: Hello, colleagues, A client that we had set up as a site within our domain with its own pair of DC's has decided to break off from us, get their own ISP, and cut the network cable between us. In fact, they've done that last weekend. Now, the Directory Service event log on one of our DC's is spewing out 21 warning and error messages every 15 minutes, all related to the fact that there are no available DC's in that site. Doing a Google search, I found this article http://support.microsoft.com/?kbid=216498 which describes at least 20 steps that must be taken to remove a DC following an unsuccessful DC demotion. Which, I suppose, is what I would have done had I had the opportunity to demote the DC's before this client cut the line. The article also has this warning: Caution The administrator must also make sure that replication has occurred since the demotion before manually removing the NTDS Settings object for any server. Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality. Being a relative newbie to Active Directory management (but, just emerging from a pair of classes), I have to ask if there is an easier way to do this? We have about 800 users and 4 corporations on this wire, and they might get a bit testy if their computers stopped working all of a sudden! -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Ambition is a dream with a V8 engine. ~ Elvis Presley List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] There must be an easier way...
I didn't get the drift he had a multidomain forest. If he does, and he doesn't have a forest root DC then he's SOL and will have to ADMT to a new domain/forest. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) [E] Sent: Monday, March 06, 2006 8:37 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] There must be an easier way... Brian, I never did this, but I guess I should try it if one domain tree established the forest, another domain tree is added, but then the initial tree is removed won't that cause problems for the other domain tree, even if they clean up the forest and seize the FSMO roles. The schema and configuration containers will reflect the naming context of the root forest. Also that is where the enterprise roles will exist. I think the only thing the non-root can do is reinstall the Forest, while the forest root can just do the clean-up. Todd Myrick From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: Mon 3/6/2006 7:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] There must be an easier way... Larry- Just follow the steps and remove the two DCs that were offsite. Wait for replication internally and delete the site/subnet. All done. I suggest you reset all passwords for sensitive accounts or even better expire every password in the domain. Your client can obtain these if they're industrious and it sounds like you left on a bad note. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Monday, March 06, 2006 7:17 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] There must be an easier way... Hello, colleagues, A client that we had set up as a site within our domain with its own pair of DC's has decided to break off from us, get their own ISP, and cut the network cable between us. In fact, they've done that last weekend. Now, the Directory Service event log on one of our DC's is spewing out 21 warning and error messages every 15 minutes, all related to the fact that there are no available DC's in that site. Doing a Google search, I found this article http://support.microsoft.com/?kbid=216498 which describes at least 20 steps that must be taken to remove a DC following an unsuccessful DC demotion. Which, I suppose, is what I would have done had I had the opportunity to demote the DC's before this client cut the line. The article also has this warning: Caution The administrator must also make sure that replication has occurred since the demotion before manually removing the NTDS Settings object for any server. Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality. Being a relative newbie to Active Directory management (but, just emerging from a pair of classes), I have to ask if there is an easier way to do this? We have about 800 users and 4 corporations on this wire, and they might get a bit testy if their computers stopped working all of a sudden! -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD - What to monitor?
So, does Intrust do these things: OU creations/deletions/mods Critical Security Group Modifications GPO Creation/deletion/mods and Linking Domain Administrator Logins and from where Password changes on critical accounts Can you get granular and say show me all the changes to these groups, or these OU's, or when this account is used, etc? Do you use Quest Reporter? Bryan Lucas Server Administrator Texas Christian University (817) 257-6971 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) [E] Sent: Monday, March 06, 2006 5:16 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD - What to monitor? Things I like to know about. Administration Events OU creations/deletions/mods Critical Security Group Modifications GPO Creation/deletion/mods and Linking Domain Administrator Logins and from where Password changes on critical accounts Domain Activities Got one word for you Replication! AD's go bad when replication is out of whack... In my experience when it comes to replication you need to monitor both the Event Logs, but also the ports. Also if a firewall goes anywhere between two replication partners, you then have to start to consider UDP fragmentation which manifest itself as broken trust and bad authentication attempts. As for events, well the security event logs are a maze of Event ID's that I just rather not dig into unless I am required. Both Quest and Netpro (probably NetIQ, MOM and some other tools out there I haven't evaluated as well) have some nice tools that make monitoring the security event logs a lot nicer. I currently use Quest Intrust and Intrust for AD. The nice thing about the AD product is that it creates a nice little Event Log for administration and logs those activities separately. The put a hook into the LDAP service that intercepts the LDAP calls and logs them. There are some KB articles out there that list several of the events. As one person suggest, reviewing Netpro, Quest, NetIQ's and HPs stuff also helps get an idea. MoM also has some pretty slick admin packs that might be informative, but I see Mom more as a Big Picture Up/Down monitor, there is still a lot of value in Third-Party add-ons since most of these products offer add-ons to MoM as part of their features. Todd From: Ryan A. Conrad [mailto:[EMAIL PROTECTED] Sent: Mon 3/6/2006 4:01 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD - What to monitor? You may want to start by looking at some commercial products and see what functions they perform and what they monitor. NetPro's Change Auditor is great, and the MOM AD MP (entire Technical Guide is available) would be two nice starting points. If I remember correctly, NetPro also has an AD Health product. If you don't want to pay, then you can start scripting based upon what you see common among all of the commercial products available. Ryan On 3/6/06, Adeel Ansari [EMAIL PROTECTED] wrote: AD Gurus, Can you guys expand on the topic of what should be monitored in AD? and Why? I am talking in terms of Security events only to protect AD and also protect from attacks of any kind. Obviously, one would monitor failed logon, too many accounts creations etc. What else should we monitor? Regards, Adeel List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Unable to discover computers in AD after upgrading to .NET Framework 2.0
http://www.microsoft.com/downloads/details.aspx?familyid=f53f1ef3-a7a0-4c45-aefc-7c1ec5dccaa6displaylang=en http://www.microsoft.com/downloads/details.aspx?familyid=f53f1ef3-a7a0-4c45-aefc-7c1ec5dccaa6displaylang=en Unable to discover computers in AD after upgrading to .NET Framework 2.0 -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Unable to discover computers in AD after upgrading to .NET Framework 2.0 (should have been MOM can't find computers in AD after 2.0)
Sorry should have described that a bit better... MOM can't find computers in AD after 2.0 Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: http://www.microsoft.com/downloads/details.aspx?familyid=f53f1ef3-a7a0-4c45-aefc-7c1ec5dccaa6displaylang=en http://www.microsoft.com/downloads/details.aspx?familyid=f53f1ef3-a7a0-4c45-aefc-7c1ec5dccaa6displaylang=en Unable to discover computers in AD after upgrading to .NET Framework 2.0 -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Domain rename and third party tool
Our company just changed its name including its domain, and would like to change also change our Active Directory domain. Currently we are using our AD just for Exchange. We will join our workstations which currently are using Novell Netware to AD soon. Our AD domain: - Current forest functional level is Windows 2000 - Current domain functional level is Windows 2000 Native. - All the Active Directory servers are running Windows 2003 + SP1 with latest updates. - No clients (workstations or laptops) have been joined to the domain. - AD is still pristine without any custom modifications. Our Exchange servers: - One front-end, two back-end servers all running on Windows 2003 - Front end is Exchange 2003 standard + SP1, back ends are Exchange 2003 enterprise + SP1 Because Exchange Organization Name can not be changed at all, and while AD domain can be renamed but it may leave some debris behind, I would like to start with a new AD forest and new Exchange 2003 organization. The problems now are: - Migration must be done very quickly (all should be done over the weekend) - Users with their password should be migrated from the old domain to the new domain - Our BlackBerry 4.0 and its users must be able to use the service before and after the migration. - Users computers have not joined to the domain. Some scripting may need to be done for them to have the new Outlook profile. My questions now, are there any 3rd party tool recommended for this and what is your preference? Also do you have any tips regarding Active Directory migration? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Domain rename and third party tool
Honestly? All the products I know of require some investments in time, planning, tests and efforts to get used to them. They are not really like deploy-and-go type of solutions. I mentioned that because you appear to be in a dire emergency, and it is usually emergencies like this that tend to complicate migrations when all is said and done. So, if you are so constrained, I highly recommend that you drop everything now, grab something form Quest (they lead the market in popularity and ease of use) or download ADMT3.0 (free from MS), lock yourself and your team in a lab and get married to the product for the next several days. If you have neither the time for learning curve, nor the bodies to execute a migration/rename project at such short notice, you might also want to consider seeking professional services from companies who do such for a living. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Irwan Hadi Sent: Mon 3/6/2006 8:23 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain rename and third party tool Our company just changed its name including its domain, and would like to change also change our Active Directory domain. Currently we are using our AD just for Exchange. We will join our workstations which currently are using Novell Netware to AD soon. Our AD domain: - Current forest functional level is Windows 2000 - Current domain functional level is Windows 2000 Native. - All the Active Directory servers are running Windows 2003 + SP1 with latest updates. - No clients (workstations or laptops) have been joined to the domain. - AD is still pristine without any custom modifications. Our Exchange servers: - One front-end, two back-end servers all running on Windows 2003 - Front end is Exchange 2003 standard + SP1, back ends are Exchange 2003 enterprise + SP1 Because Exchange Organization Name can not be changed at all, and while AD domain can be renamed but it may leave some debris behind, I would like to start with a new AD forest and new Exchange 2003 organization. The problems now are: - Migration must be done very quickly (all should be done over the weekend) - Users with their password should be migrated from the old domain to the new domain - Our BlackBerry 4.0 and its users must be able to use the service before and after the migration. - Users computers have not joined to the domain. Some scripting may need to be done for them to have the new Outlook profile. My questions now, are there any 3rd party tool recommended for this and what is your preference? Also do you have any tips regarding Active Directory migration? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/