Re: [ActiveDir] How Secure is a Domain Controller?
Myrick, Todd (NIH/CC/DNA) [E] wrote: Okay for you Susan, I will modify my statement... Add IPsec filter that only allows http traffic to update.microsoft.com. Also, in the future MS will probably bake in the spyware service into the product, so it will be there anyway. I think I helped flush out the KB article on AV way back. Do folks really use Windows/Microsoft Update for patching DCs? I realize I'm a bit paranoid but you're still running a web browser on a DC. al From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [mailto:[EMAIL PROTECTED] Sent: Mon 3/6/2006 2:27 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] How Secure is a Domain Controller? Question? On a DC ...why do you need anti spyware? If spyware enters via web browsing and email...and IE should never be used/launched on a DC... why do you need it? If the enhanced IE lockdown is still in place that shuts off scripting and what not. Is it on my TS box and all workstations? Yup. On my DC. No. the only site that that box surfs to is Microsoft Update (I mean I don't even go to Joewear on that DC) Why introduce another thing that might introduce new code and new false positives? (see Spybot that flagged Microsoft's remote desktop control for RWW as spyware, see Microsoft's Antispyware that flagged Symantec as a trojan) And if you do a/v ensure that the needed folders and files are excluded (see prior posts in this forum about the KB articles regarding how to set up a/v on a domain controller and Exchange servers) Myrick, Todd (NIH/CC/DNA) [E] wrote: To add my 2 cents. 1. Add Anti-virus and Anti-Spywear detection. 2. Configure and backup your event logs. At remote sites, I would recommend collecting the event logs on a faster rotation. 3. Add monitoring, You want to monitor account lockout events and have notification when excessive amounts of authentications are occurring. (Tips you off to possible brute force attacks, and up/down situations). 4. Use IPSEC Policies to not allow outside traffic to your DC's. (I haven't tried this, but the theory seems pretty solid) 5. Use GPO's to enforce group memberships for EA and Domain Admins. 6. When possible do not have child domains, allows you to use tighter security policies. 7. Enforce all registry changes using GPO's. Things like DNS record weight, fixed ports for NTDS and FRS replication, etc should be set this way to avoid mis-configuration. 8. At a minimum have a MFT backup of the AD system state done at a central site each night. If you should lose objects, etc. Having this will give you options for restore. Not having it you're doomed. 9. Make sure your account policies balance the need to thwart an attack but also consider the potential for brute force and denial of service. You don't want to come in on Monday to 40K of accounts locked out, and everyone waiting for you to unlock them. 10. TBD Todd Myrick *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *Sent:* Monday, March 06, 2006 11:23 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] How Secure is a Domain Controller? I understand/stood what you were saying, just was hoping to bring out a clearer answer for some of the lurker/newbies on the list (of which there are many). And you provided exactly that clarification which was excellent. Thank you. **[Neil Ruston] You're welcome :)** I still personally believe in the statement that if I can touch your server, I own your server. There just is no good technical solution to a physical problem, and it's part of our job responsibility to make that clear to management. **[Neil Ruston] Sometimes we're forced to make compromises due to management and political pressure. Ulf has written an article which helps to secure the DC if it finds itself physically insecure. Ideally, the DC would not be deployed at all, but the world [of IT] is far from ideal... :)** *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of [EMAIL PROTECTED] *Sent:* Monday, March 06, 2006 9:52 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] How Secure is a Domain Controller? You mis-understand :) Ulf was suggesting that in order to protect the AD data on a poorly protected DC, that strong passwords should be used that are harder to crack. In the event that the disks were compromised, the hacker would not be able to crack a 20 char pw. He does not suggest the use of 20 char passwords to logon to the DC but instead, it is suggested as a way to further protect the AD data, in the event that physical protection is weak. hth, neil *From:* [EMAIL PROTECTED] [mailto:[EMAIL
Re: [ActiveDir] How Secure is a Domain Controller?
Personally Shavlik here... but the SBS boxes will be using WSUS in the R2 era. Al Lilianstrom wrote: Myrick, Todd (NIH/CC/DNA) [E] wrote: Okay for you Susan, I will modify my statement... Add IPsec filter that only allows http traffic to update.microsoft.com. Also, in the future MS will probably bake in the spyware service into the product, so it will be there anyway. I think I helped flush out the KB article on AV way back. Do folks really use Windows/Microsoft Update for patching DCs? I realize I'm a bit paranoid but you're still running a web browser on a DC. al From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [mailto:[EMAIL PROTECTED] Sent: Mon 3/6/2006 2:27 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] How Secure is a Domain Controller? Question? On a DC ...why do you need anti spyware? If spyware enters via web browsing and email...and IE should never be used/launched on a DC... why do you need it? If the enhanced IE lockdown is still in place that shuts off scripting and what not. Is it on my TS box and all workstations? Yup. On my DC. No. the only site that that box surfs to is Microsoft Update (I mean I don't even go to Joewear on that DC) Why introduce another thing that might introduce new code and new false positives? (see Spybot that flagged Microsoft's remote desktop control for RWW as spyware, see Microsoft's Antispyware that flagged Symantec as a trojan) And if you do a/v ensure that the needed folders and files are excluded (see prior posts in this forum about the KB articles regarding how to set up a/v on a domain controller and Exchange servers) Myrick, Todd (NIH/CC/DNA) [E] wrote: To add my 2 cents. 1. Add Anti-virus and Anti-Spywear detection. 2. Configure and backup your event logs. At remote sites, I would recommend collecting the event logs on a faster rotation. 3. Add monitoring, You want to monitor account lockout events and have notification when excessive amounts of authentications are occurring. (Tips you off to possible brute force attacks, and up/down situations). 4. Use IPSEC Policies to not allow outside traffic to your DC's. (I haven't tried this, but the theory seems pretty solid) 5. Use GPO's to enforce group memberships for EA and Domain Admins. 6. When possible do not have child domains, allows you to use tighter security policies. 7. Enforce all registry changes using GPO's. Things like DNS record weight, fixed ports for NTDS and FRS replication, etc should be set this way to avoid mis-configuration. 8. At a minimum have a MFT backup of the AD system state done at a central site each night. If you should lose objects, etc. Having this will give you options for restore. Not having it you're doomed. 9. Make sure your account policies balance the need to thwart an attack but also consider the potential for brute force and denial of service. You don't want to come in on Monday to 40K of accounts locked out, and everyone waiting for you to unlock them. 10. TBD Todd Myrick *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *Sent:* Monday, March 06, 2006 11:23 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] How Secure is a Domain Controller? I understand/stood what you were saying, just was hoping to bring out a clearer answer for some of the lurker/newbies on the list (of which there are many). And you provided exactly that clarification which was excellent. Thank you. **[Neil Ruston] You're welcome :)** I still personally believe in the statement that if I can touch your server, I own your server. There just is no good technical solution to a physical problem, and it's part of our job responsibility to make that clear to management. **[Neil Ruston] Sometimes we're forced to make compromises due to management and political pressure. Ulf has written an article which helps to secure the DC if it finds itself physically insecure. Ideally, the DC would not be deployed at all, but the world [of IT] is far from ideal... :)** *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of [EMAIL PROTECTED] *Sent:* Monday, March 06, 2006 9:52 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] How Secure is a Domain Controller? You mis-understand :) Ulf was suggesting that in order to protect the AD data on a poorly protected DC, that strong passwords should be used that are harder to crack. In the event that the disks were compromised, the hacker would not be able to crack a 20 char pw. He does not suggest the use of 20 char passwords to logon to the DC but instead, it is suggested as a way to further protect the AD data, in the event that physical protection is weak. hth, neil
RE: [ActiveDir] There must be an easier way...
Thanks, everybody, for your helpful replies. Just to clarify: We have an empty root domain. We have several child domains, one of which is our main domain with most of the objects. That main domain has 5 sites. One of those sites has one DC in it. That physical site also has an administrator who talked me into promoting one of his servers to a dc in the root domain, since only I know the root domain administrator password. The plan was that we would let things replicate, then ghost the two DC's, bring the two DC's over to my location, cut the wire between us, demote the two DC's and remove them from the domain, take them back over to the site that's leaving, re-ghost the machines back so they're DC's again in their copy of our domains, change the root domain administrator password to something those guys know, and let them have at it in their own copy of our domain. Then, their users continue to log on to their copy of our domain in their own forest, while the IT group gets stuff migrated over to what will be their real new forest. Unfortunately, the very evening that I promoted their DC, this guy cut the line. So, now I have to run ntdsutil to clean up. But, fortunately, I just happened to be signed up for an intermediate AD class in which we did that very thing today. So, I think I'm OK, along with the great suggestions here. As I see it, the steps are: 1. Run NTDSUTIL and remove the two DC's. 2. Wait until tomorrow - overnight should be plenty of time for replication. (We only have about 800 users total) 3. Go into Sites and Services and delete the computers from the site, and then the site itself. 4. Probably have to delete the connections to either of the deleted computers from the many other DC's. Thanks again, all. If there's something I've missed, I'm all ears! -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] There must be an easier way...
You will then need to look in DNS and delete every reference to any of the DCs in any zone or sub-zone. You will then go into ADUC, Domain Controller OU, and manually delete the DCs from there. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Larry Wahlers Sent: Tue 3/7/2006 2:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] There must be an easier way... Thanks, everybody, for your helpful replies. Just to clarify: We have an empty root domain. We have several child domains, one of which is our main domain with most of the objects. That main domain has 5 sites. One of those sites has one DC in it. That physical site also has an administrator who talked me into promoting one of his servers to a dc in the root domain, since only I know the root domain administrator password. The plan was that we would let things replicate, then ghost the two DC's, bring the two DC's over to my location, cut the wire between us, demote the two DC's and remove them from the domain, take them back over to the site that's leaving, re-ghost the machines back so they're DC's again in their copy of our domains, change the root domain administrator password to something those guys know, and let them have at it in their own copy of our domain. Then, their users continue to log on to their copy of our domain in their own forest, while the IT group gets stuff migrated over to what will be their real new forest. Unfortunately, the very evening that I promoted their DC, this guy cut the line. So, now I have to run ntdsutil to clean up. But, fortunately, I just happened to be signed up for an intermediate AD class in which we did that very thing today. So, I think I'm OK, along with the great suggestions here. As I see it, the steps are: 1. Run NTDSUTIL and remove the two DC's. 2. Wait until tomorrow - overnight should be plenty of time for replication. (We only have about 800 users total) 3. Go into Sites and Services and delete the computers from the site, and then the site itself. 4. Probably have to delete the connections to either of the deleted computers from the many other DC's. Thanks again, all. If there's something I've missed, I'm all ears! -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] WMIDiag is a New Utility for Diagnosing and Helping in Repairing Problems with the WMI Service
For those of you interested ... WMIDiag is a New Utility for Diagnosing and Helping in Repairing Problems with the WMI Service. It works from Windows 2000 up to 2003 (including XP and all SPs). WMIDiag usage: http://www.microsoft.com/technet/scriptcenter/topics/help/wmidiag.mspx WMIDiag Download: http://www.microsoft.com/downloads/details.aspx?FamilyID=d7ba3cd6-18d1-4d05-b11e-4c64192ae97dDisplayLang=en WMIDiag webcast tomorrow: Title: Troubleshooting Windows Management Instrumentation (WMI)Date/Time: 3/8/2006 9:30 AM PacificDuration: 60 minutesPresenter: Alain Lissoir Attendee Registration URL: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032290320Culture=en-US Regards,/Alain Alain LISSOIR [EMAIL PROTECTED] Home Page: http://www.LissWare.Net Where am I? http://map.LissWare.Net
