Re: [ActiveDir] Risks of exposure of machine account passwords

[Michael B Allen]

On Tue, 9 Jan 2007 14:13:33 +1100
"Ken Schaefer" <[EMAIL PROTECTED]> wrote:

> I'm not sure what NTLM SSO Pass-Through is, but NTLM is not natively
> delegatable, so you can't (in the normal course of events) use this to create
> an account anywhere except on the local machine. There may be easier ways to
> create accounts on local machines.

Perhaps "proxy" would be a better term. When the web client requests the
challenge you request it from the target server (e.g. the DC) and send
it back to the client. When the client sends the password hashes you
send them to the target server. So the web client doesn't authenticate
with the web server it authenticates directly with the target server by
proxying the NTLMSSP tokens.

This is effectively a man-in-the-middle attack. Digital signatures are
used to twart an MITM so if you require SMB signing you can prevent such
an attack (although if you can authenticate LDAP with NTLM you might be
able to get around that).

Actually now that I think about it I think W2K3 requires SMB signing so
maybe this permutation wouldn't work. But workstations do not require
SMB signing. One could authenticate back to the client and place and
create an account or simply place an executable in their Startup.

But again, if you're already trusted on the network it's game over.

Mike

> 
> On Mon, 8 Jan 2007 15:33:01 -0500
> "joe" <[EMAIL PROTECTED]> wrote:
> 
> 
> But I can add an improved permutation to your dirty trick. Send out an
> email with a link to your site but use NTLM SSO pass-through to create a
> bogus account with a predefined password. If someone with domain admin
> privs so much as stumbles across your site they will create the said
> account and not even know they did it. No credentials necessary and no
> SSO account necessary. Just a website with an FQDN.
> 
> There is one simple security setting that will thwart this attack
> though. For bonus points, does anyone know what it is? :->
> 
> Mike


-- 
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] ADfind to find locked accounts

[joe]

The userAccountControl is not used for indicating a locked status when using
LDAP, this applies both to LDAP and the LDAP ADSI interface. If you want the
status of an account using that mechanism, with K3 you can use
msDS-User-Account-Control-Computed however note the constructed... You
cannot query that attribute, only retrieve it as an attribute in another
query. The only way to query, and how unlock does it, is via the lockoutTime
attribute. As the others mentioned, you can do lockoutTime that has a value
greater than 0, however it needs to be in the filter as lockoutTime>=1 since
lockoutTime>0 is an invalid filter. Note that that will return both accounts
that are locked as well as accounts that are already unlocked due to the
lockout period expiring but no one has logged into them yet. I.E. If you are
looking for accounts locked out right this second, you will get false
positives. 
 
The proper way to get currently locked out accounts, the method used by
unlock, is to get the domain policy for lockout duration and calculate the
proper value for lockoutTime which will be the current time minus lockout
duration, anything locked after that time stamp is currently locked. That is
the value you use to query AD for.
 
If I absolutely had to do it with adfind with a single command line I would
use CSV mode with grep or findstr like so
 
adfind -default -f "&(samaccounttype=805306368)(lockouttime>=1)"
msDS-User-Account-Control-Computed -samdc -csv |grep "LOCKED"
 
That would be a list of currently locked accounts. It would be relatively
efficient unless you have a lot of accounts that have passed the lockout
duration but no one ever logged into them afterward.
 
 
  joe
 
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Tuesday, December 19, 2006 5:06 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ADfind to find locked accounts



I'm using a bitwise filter to search for locked accounts using ADFind.

 

I have one particular account, a service account, that is locked out and
also has Password No Expire set.

 

In ADFind it comes up as such.

 

C:\tools>adfind -default -bit -f samaccountname=servaccount -alldc
useraccountcontrol

 

AdFind V01.33.00cpp Joe Richards ([EMAIL PROTECTED]) October 2006

 

Transformed Filter: samaccountname=servaccount

Using server: dc.appsig.com:389

Directory: Windows 2000

Base DN: DC=appsig,DC=com

 

dn:CN=servaccount,OU=APSG SvcAccounts,DC=appsig,DC=com

>userAccountControl: 66048 [NORMAL_USER(512);NO_EXPIRE(65536)]

 

Why does the userAccountControl read as 512+65536 only?  Shouldn't it be 512
(Normal User) + 16 (Locked Out) + 65536 (No Expire) = 66064?

 

In fact, I cannot even find this account when searching for locked accounts
via ADFind.  The only reason I realized it was locked out was because I also
used Joe's Unlock utility to search for all locked accounts and it returned
this account as part of the search.  

 

C:\tools>unlock . * -view

 

Unlock V02.01.00cpp Joe Richards ([EMAIL PROTECTED]) August 2004

 

Processed at dc.appsig.com

Default Naming Context: DC=appsig,DC=com

 

1: servaccount12/15/2006-10:52:45 LOCKED   VIEW_ONLY

 

 

I'm probably just missing something here, but was hoping for some
clarification.

 

Thanks,

~Ben

RE: [ActiveDir] DNS Comments

[Wells, James Arthur]

If there are enough deltas that aren’t being made by Dynamic DNS, then I would 
suggest just looking into an IPAM solution like Infoblox or Bluecat.  Either 
one can provide a management interface and BIND server that can then be merged 
with your existing zone through a number of API options…

 

 

--James

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Monday, January 08, 2007 8:28 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS Comments

 

Integrated. They tell me they make a couple updates a day to the zone.

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Monday, January 08, 2007 7:53 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DNS Comments

 

Weird name but they get good press.  I haven't tried them myself, but I've 
heard of them.  

 

Most of the others out there tend to want to take over the DNS vs. provide 
tools.  Personally, I'm a fan of setting it up well (design for success and all 
that) and using cli to manage so I haven't really researched after-market 
tools.  

 

One thing that comes to mind: is this going to be integrated or traditional 
zone with primary and secondary configurations? 

 

How much maintenance is expected?   

 

On 1/8/07, Brian Desmond <[EMAIL PROTECTED]> wrote: 

What a weird name – thanks for the link

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Monday, January 08, 2007 7:33 PM 


To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS Comments

 

I like these guys: http://www.miceandmen.com/

 

 

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Monday, January 08, 2007 4:56 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS Comments 

 

Well there hasn't been some sort of ruling on whether the existing BIND folks 
will get new tools or the AD team (which is very gui dependent) will take it 
over. 

 

Are there any commercial tools you'd recommend I look at as far as management 
goes?

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Sunday, January 07, 2007 1:35 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DNS Comments 

 

Backup a second - how do you plan to manage the zones? 

 

I ask because this might be a good time to re-evaluate the metadata concept of 
the zones. 

 

In BIND you see that information because of the way you manage the zone.  In AD 
there is a different way to manage the zone information that doesn't include 
that information.  

 

If you decide to manage the zones the same way, then handle the comments the 
same way.  If you decide to go GUI (often a shock for a real BIND techie and 
often doesn't last long) then consider using a CMDB-type of mechanism to record 
the metadata. You may also consider some alternate tools to manage
the DNS systems instead of the built in tools.  Performance is pretty rough 
with the included anyway so it's not like you won't consider it later :) 

 

This is a change in the way they do things.  It deserves a change in the way 
they are used to doing things. 

 

Al

 

On 1/5/07, Brian Desmond <[EMAIL PROTECTED]> wrote: 

Has anyone on this DL have experience with this problem?

 

I am working on potentially migrating numerous UNIX BIND zones to AD Integrated 
DNS. The BIND zones have various comments in them which go with the record. I 
believe the dnsNode class in AD supports a notes field or similar but the GUI 
doesn't. How do people manage metadata about their DNS zones? 

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

 

 

RE: [ActiveDir] Risks of exposure of machine account passwords

[Ken Schaefer]

I'm not sure what NTLM SSO Pass-Through is, but NTLM is not natively
delegatable, so you can't (in the normal course of events) use this to create
an account anywhere except on the local machine. There may be easier ways to
create accounts on local machines.
 
Cheers
Ken



From: [EMAIL PROTECTED] on behalf of Michael B Allen
Sent: Tue 9/01/2007 9:34 AM
To: ActiveDir@mail.activedir.org
Cc: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Risks of exposure of machine account passwords



On Mon, 8 Jan 2007 15:33:01 -0500
"joe" <[EMAIL PROTECTED]> wrote:


But I can add an improved permutation to your dirty trick. Send out an
email with a link to your site but use NTLM SSO pass-through to create a
bogus account with a predefined password. If someone with domain admin
privs so much as stumbles across your site they will create the said
account and not even know they did it. No credentials necessary and no
SSO account necessary. Just a website with an FQDN.

There is one simple security setting that will thwart this attack
though. For bonus points, does anyone know what it is? :->

Mike

RE: [ActiveDir] Risks of exposure of machine account passwords

[joe]

> You can't treat everyone inside your network like criminals or you'll
never get anything done. 

I don't completely agree with this. When you are an admin, especially a DA,
you need to be etxremely paranoid about things and trust very little that
you don't directly control when using your ID. When I see folks who aren't
running separate accounts for admin work and normal work I know they aren't
paranoid enough. Then if someone had two accounts the next question is are
the passwords synced which is pretty normal to see but almost as bad as
using your DA ID to log into your PC and doing work in which you aren't
specifically making changes. The next thing to do to cut down on risk is do
interactive auth as well as application auth to servers and DCs as little as
possible with enhanced IDs. Just too many possible ways to get screwed
whether on purpose or by accident to treat anything but proven trusted
systems and people as anything but a danger. Yes it slows you down, but
folks need to be very careful with their most powerful IDs. If people follow
these guidelines it is considerably more difficult to compromise them
through social engineering types of attacks such as outlined.


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: Michael B Allen [mailto:[EMAIL PROTECTED] 
Sent: Monday, January 08, 2007 5:35 PM
To: ActiveDir@mail.activedir.org
Cc: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Risks of exposure of machine account passwords

On Mon, 8 Jan 2007 15:33:01 -0500
"joe" <[EMAIL PROTECTED]> wrote:

> A dirty trick I have used in the
> past to disprove how secure an environment was was to set up a web site on
a
> workstation, enable basic auth only, write a little perl cgi script to
write
> the creds sent to the website to a log file and throw up a website
> unavailable screen and then tell admins that I have a web site that
doens't
> seem to authenticate users properly could they try to logon to see if it
is
> just my test IDs or a permission problem. I would say at least 50%-60% of
> the time the admins will go to the page and type in their creds.
Alternately
> try to get an admin to log into a workstation I control. In far too many
> cases I think you will find admins are user's too... :) 

If you already own a machine with an FQDN and you can send email to people
as someone internal then it would be pretty hard to keep you out since
you're already somewhat trusted. You can't treat everyone inside
your network like criminals or you'll never get anything done. And if
you do have a criminal inside you should take it up with HR not IT.

But I can add an improved permutation to your dirty trick. Send out an
email with a link to your site but use NTLM SSO pass-through to create a
bogus account with a predefined password. If someone with domain admin
privs so much as stumbles across your site they will create the said
account and not even know they did it. No credentials necessary and no
SSO account necessary. Just a website with an FQDN.

There is one simple security setting that will thwart this attack
though. For bonus points, does anyone know what it is? :->

Mike

-- 
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] Risks of exposure of machine account passwords

[joe]

You used LC3/pwdump to extract from a DC or from the machine itself? If you
have the ability to run a service as localsystem on a DC, obviously there is
no need to crack a machine account password...
 
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ziots, Edward
Sent: Monday, January 08, 2007 4:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Risks of exposure of machine account passwords


Actually Machine password can be extracted from LC3 and higher, done it
myself, and it seems that Windows Choice of Secure password with the DC's
insist that hard to crack. You can also use Opcrack with rainbow tables, and
cachedump or pwdump3e to get the computer account hash and crack that bugger
simply. 
 
I agree, its gotta usuallybe an inside job to get it, and the computer
account could prove less fruitful, than a juicer user account with higher
level access, but its an interesting way to hack I suppose. 
 
TY
Z
 

Edward E. Ziots 
Network Engineer 
Lifespan Organization 
MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security + 
email:[EMAIL PROTECTED] 
cell:401-639-3505 

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, January 08, 2007 3:33 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Risks of exposure of machine account passwords


If an attacker gets access to a machine account password they can connect to
AD as that computer which is usually just normal user access rights. In
fact, if you set up an auth as the computer and tap an ADAM instance and
look at the RootDSE it will show you the groups you are a member of that are
right for that context. For example:
 
>tokenGroups: TEST\TESTCMP$
>tokenGroups: TEST\Domain Computers
>tokenGroups: Everyone
>tokenGroups: BUILTIN\Users
>tokenGroups: NT AUTHORITY\NETWORK
>tokenGroups: NT AUTHORITY\Authenticated Users
>tokenGroups: NT AUTHORITY\This Organization
 
I don't think overall that computer accounts are any more risky than normal
userids. On the flip side, I think it is silly to leave enabled machine
accounts lying around for computers that you are relatively sure will never
reconnect. That is why I wrote oldcmp and make it available to everyone. 
 
The key part is as Al mentioned, how did they get that password? I don't
recall seeing anything that will extract that from a machine and even so, I
expect it is much easier and useful to target user passwords than computer
passwords - primarily admin type user's. A dirty trick I have used in the
past to disprove how secure an environment was was to set up a web site on a
workstation, enable basic auth only, write a little perl cgi script to write
the creds sent to the website to a log file and throw up a website
unavailable screen and then tell admins that I have a web site that doens't
seem to authenticate users properly could they try to logon to see if it is
just my test IDs or a permission problem. I would say at least 50%-60% of
the time the admins will go to the page and type in their creds. Alternately
try to get an admin to log into a workstation I control. In far too many
cases I think you will find admins are user's too... :) 
 
  joe
 
 
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mr Oteece
Sent: Monday, January 08, 2007 1:39 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Risks of exposure of machine account passwords


What are the risks associated with the exposure of machine account passwords
in Active Directory? Passwords are changed for machine accounts regularly,
but they don't really expire and can get rather old. If an attacker has
access to this password, what sort of access would he have to other systems
on the network via Kerberos? i.e., would he be able to forge service tickets
as other users and elevate his access elsewhere? The laxness of policy
surrounding these accounts suggests that this is not a huge risk. Should we
be more concerned with these old passwords? 
 
Otis 

RE: [ActiveDir] Decode the msExchMailboxSecurityDescriptor attribute.

[joe]

Yes it is a binary octet string, it is a normal security descriptor and can
be manipulated like you would manipulate security descriptors in compiled
apps normally. If you are scripting, then use adfind to dump the attribute
with the -sddl+ or -sddl++ switches and if you want the SIDs and SDDL
encoded secprins decoded use -resolvesids.
 
  joe
 
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Yann
Sent: Monday, January 08, 2007 5:42 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Decode the msExchMailboxSecurityDescriptor attribute.


Hello,
 
I'd like to dump the msExchMailboxSecurityDescriptor attribute of a user
object into readable format. It seems that the value is in binary blob
format.
 
Is there a way to do this ?
 
Thanks,
 
Yann
 

__
Do You Yahoo!?
En finir avec le spam? Yahoo! Mail vous offre la meilleure protection
possible contre les messages non sollicités 
http://mail.yahoo.fr Yahoo! Mail 

RE: [ActiveDir] DNS Comments

[Brian Desmond]

Integrated. They tell me they make a couple updates a day to the zone.

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Monday, January 08, 2007 7:53 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DNS Comments

 

Weird name but they get good press.  I haven't tried them myself, but I've 
heard of them.  

 

Most of the others out there tend to want to take over the DNS vs. provide 
tools.  Personally, I'm a fan of setting it up well (design for success and all 
that) and using cli to manage so I haven't really researched after-market 
tools.  

 

One thing that comes to mind: is this going to be integrated or traditional 
zone with primary and secondary configurations? 

 

How much maintenance is expected?   

 

On 1/8/07, Brian Desmond <[EMAIL PROTECTED]> wrote: 

What a weird name – thanks for the link

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Monday, January 08, 2007 7:33 PM 


To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS Comments

 

I like these guys: http://www.miceandmen.com/

 

 

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Monday, January 08, 2007 4:56 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS Comments 

 

Well there hasn't been some sort of ruling on whether the existing BIND folks 
will get new tools or the AD team (which is very gui dependent) will take it 
over. 

 

Are there any commercial tools you'd recommend I look at as far as management 
goes?

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Sunday, January 07, 2007 1:35 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DNS Comments 

 

Backup a second - how do you plan to manage the zones? 

 

I ask because this might be a good time to re-evaluate the metadata concept of 
the zones. 

 

In BIND you see that information because of the way you manage the zone.  In AD 
there is a different way to manage the zone information that doesn't include 
that information.  

 

If you decide to manage the zones the same way, then handle the comments the 
same way.  If you decide to go GUI (often a shock for a real BIND techie and 
often doesn't last long) then consider using a CMDB-type of mechanism to record 
the metadata. You may also consider some alternate tools to manage the DNS 
systems instead of the built in tools.  Performance is pretty rough with the 
included anyway so it's not like you won't consider it later :) 

 

This is a change in the way they do things.  It deserves a change in the way 
they are used to doing things. 

 

Al

 

On 1/5/07, Brian Desmond <[EMAIL PROTECTED]> wrote: 

Has anyone on this DL have experience with this problem?

 

I am working on potentially migrating numerous UNIX BIND zones to AD Integrated 
DNS. The BIND zones have various comments in them which go with the record. I 
believe the dnsNode class in AD supports a notes field or similar but the GUI 
doesn't. How do people manage metadata about their DNS zones? 

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

 

 

Re: [ActiveDir] DNS Comments

[Al Mulnick]

Weird name but they get good press.  I haven't tried them myself, but I've
heard of them.

Most of the others out there tend to want to take over the DNS vs. provide
tools.  Personally, I'm a fan of setting it up well (design for success and
all that) and using cli to manage so I haven't really
researched after-market tools.

One thing that comes to mind: is this going to be integrated or traditional
zone with primary and secondary configurations?

How much maintenance is expected?


On 1/8/07, Brian Desmond <[EMAIL PROTECTED]> wrote:


 *What a weird name – thanks for the link*

* *

*Thanks,*

*Brian Desmond*

[EMAIL PROTECTED]

* *

*c - 312.731.3132*

* *

*From:* [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED] *On Behalf Of *Darren Mar-Elia
*Sent:* Monday, January 08, 2007 7:33 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] DNS Comments



I like these guys: http://www.miceandmen.com/







*From:* [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED] *On Behalf Of *Brian Desmond
*Sent:* Monday, January 08, 2007 4:56 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] DNS Comments



*Well there hasn't been some sort of ruling on whether the existing BIND
folks will get new tools or the AD team (which is very gui dependent) will
take it over.*

* *

*Are there any commercial tools you'd recommend I look at as far as
management goes?*

* *

*Thanks,*

*Brian Desmond*

[EMAIL PROTECTED]

* *

*c - 312.731.3132*

* *

*From:* [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED] *On Behalf Of *Al Mulnick
*Sent:* Sunday, January 07, 2007 1:35 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* Re: [ActiveDir] DNS Comments



Backup a second - how do you plan to manage the zones?



I ask because this might be a good time to re-evaluate the metadata
concept of the zones.



In BIND you see that information because of the way you manage the zone.
In AD there is a different way to manage the zone information that doesn't
include that information.



If you decide to manage the zones the same way, then handle the comments
the same way.  If you decide to go GUI (often a shock for a real BIND techie
and often doesn't last long) then consider using a CMDB-type of mechanism to
record the metadata. You may also consider some alternate tools to manage
the DNS systems instead of the built in tools.  Performance is pretty rough
with the included anyway so it's not like you won't consider it later :)



This is a change in the way they do things.  It deserves a change in the
way they are used to doing things.



Al



On 1/5/07, *Brian Desmond* <[EMAIL PROTECTED]> wrote:

Has anyone on this DL have experience with this problem?



I am working on potentially migrating numerous UNIX BIND zones to AD
Integrated DNS. The BIND zones have various comments in them which go with
the record. I believe the dnsNode class in AD supports a notes field or
similar but the GUI doesn't. How do people manage metadata about their DNS
zones?



Thanks,

Brian Desmond

[EMAIL PROTECTED]



c - 312.731.3132

RE: [ActiveDir] DNS Comments

[Brian Desmond]

What a weird name – thanks for the link

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Monday, January 08, 2007 7:33 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS Comments

 

I like these guys: http://www.miceandmen.com/

 

 

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Monday, January 08, 2007 4:56 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS Comments

 

Well there hasn’t been some sort of ruling on whether the existing BIND folks 
will get new tools or the AD team (which is very gui dependent) will take it 
over.

 

Are there any commercial tools you’d recommend I look at as far as management 
goes?

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Sunday, January 07, 2007 1:35 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DNS Comments

 

Backup a second - how do you plan to manage the zones? 

 

I ask because this might be a good time to re-evaluate the metadata concept of 
the zones. 

 

In BIND you see that information because of the way you manage the zone.  In AD 
there is a different way to manage the zone information that doesn't include 
that information.  

 

If you decide to manage the zones the same way, then handle the comments the 
same way.  If you decide to go GUI (often a shock for a real BIND techie and 
often doesn't last long) then consider using a CMDB-type of mechanism to record 
the metadata. You may also consider some alternate tools to manage the DNS 
systems instead of the built in tools.  Performance is pretty rough with the 
included anyway so it's not like you won't consider it later :) 

 

This is a change in the way they do things.  It deserves a change in the way 
they are used to doing things. 

 

Al

 

On 1/5/07, Brian Desmond <[EMAIL PROTECTED]> wrote: 

Has anyone on this DL have experience with this problem?

 

I am working on potentially migrating numerous UNIX BIND zones to AD Integrated 
DNS. The BIND zones have various comments in them which go with the record. I 
believe the dnsNode class in AD supports a notes field or similar but the GUI 
doesn't. How do people manage metadata about their DNS zones? 

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

 

RE: [ActiveDir] DNS Comments

[Darren Mar-Elia]

I like these guys: http://www.miceandmen.com/

 

 

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Monday, January 08, 2007 4:56 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS Comments

 

Well there hasn’t been some sort of ruling on whether the existing BIND folks 
will get new tools or the AD team (which is very gui dependent) will take it 
over.

 

Are there any commercial tools you’d recommend I look at as far as management 
goes?

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Sunday, January 07, 2007 1:35 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DNS Comments

 

Backup a second - how do you plan to manage the zones? 

 

I ask because this might be a good time to re-evaluate the metadata concept of 
the zones. 

 

In BIND you see that information because of the way you manage the zone.  In AD 
there is a different way to manage the zone information that doesn't include 
that information.  

 

If you decide to manage the zones the same way, then handle the comments the 
same way.  If you decide to go GUI (often a shock for a real BIND techie and 
often doesn't last long) then consider using a CMDB-type of mechanism to record 
the metadata. You may also consider some alternate tools to manage the DNS 
systems instead of the built in tools.  Performance is pretty rough with the 
included anyway so it's not like you won't consider it later :) 

 

This is a change in the way they do things.  It deserves a change in the way 
they are used to doing things. 

 

Al

 

On 1/5/07, Brian Desmond <[EMAIL PROTECTED]> wrote: 

Has anyone on this DL have experience with this problem?

 

I am working on potentially migrating numerous UNIX BIND zones to AD Integrated 
DNS. The BIND zones have various comments in them which go with the record. I 
believe the dnsNode class in AD supports a notes field or similar but the GUI 
doesn't. How do people manage metadata about their DNS zones? 

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

 

RE: [ActiveDir] DNS Comments

[Brian Desmond]

Well there hasn’t been some sort of ruling on whether the existing BIND folks 
will get new tools or the AD team (which is very gui dependent) will take it 
over.

 

Are there any commercial tools you’d recommend I look at as far as management 
goes?

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Sunday, January 07, 2007 1:35 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DNS Comments

 

Backup a second - how do you plan to manage the zones? 

 

I ask because this might be a good time to re-evaluate the metadata concept of 
the zones. 

 

In BIND you see that information because of the way you manage the zone.  In AD 
there is a different way to manage the zone information that doesn't include 
that information.  

 

If you decide to manage the zones the same way, then handle the comments the 
same way.  If you decide to go GUI (often a shock for a real BIND techie and 
often doesn't last long) then consider using a CMDB-type of mechanism to record 
the metadata. You may also consider some alternate tools to manage the DNS 
systems instead of the built in tools.  Performance is pretty rough with the 
included anyway so it's not like you won't consider it later :) 

 

This is a change in the way they do things.  It deserves a change in the way 
they are used to doing things. 

 

Al

 

On 1/5/07, Brian Desmond <[EMAIL PROTECTED]> wrote: 

Has anyone on this DL have experience with this problem?

 

I am working on potentially migrating numerous UNIX BIND zones to AD Integrated 
DNS. The BIND zones have various comments in them which go with the record. I 
believe the dnsNode class in AD supports a notes field or similar but the GUI 
doesn't. How do people manage metadata about their DNS zones? 

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

 

Re: [ActiveDir] Risks of exposure of machine account passwords

[Al Mulnick]

Just one?

I prefer the on|off bit to be flipped.  What was your method? :)

On 1/8/07, Michael B Allen <[EMAIL PROTECTED]> wrote:


On Mon, 8 Jan 2007 15:33:01 -0500
"joe" <[EMAIL PROTECTED]> wrote:

> A dirty trick I have used in the
> past to disprove how secure an environment was was to set up a web site
on a
> workstation, enable basic auth only, write a little perl cgi script to
write
> the creds sent to the website to a log file and throw up a website
> unavailable screen and then tell admins that I have a web site that
doens't
> seem to authenticate users properly could they try to logon to see if it
is
> just my test IDs or a permission problem. I would say at least 50%-60%
of
> the time the admins will go to the page and type in their creds.
Alternately
> try to get an admin to log into a workstation I control. In far too many
> cases I think you will find admins are user's too... :)

If you already own a machine with an FQDN and you can send email to people
as someone internal then it would be pretty hard to keep you out since
you're already somewhat trusted. You can't treat everyone inside
your network like criminals or you'll never get anything done. And if
you do have a criminal inside you should take it up with HR not IT.

But I can add an improved permutation to your dirty trick. Send out an
email with a link to your site but use NTLM SSO pass-through to create a
bogus account with a predefined password. If someone with domain admin
privs so much as stumbles across your site they will create the said
account and not even know they did it. No credentials necessary and no
SSO account necessary. Just a website with an FQDN.

There is one simple security setting that will thwart this attack
though. For bonus points, does anyone know what it is? :->

Mike

--
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] Decode the msExchMailboxSecurityDescriptor attribute.

[WATSON, BEN]

Hi Yann,

 

I was reading this over the weekend, and perhaps this might provide enough 
relevant info for you to find what you are looking for.

 

http://blog.joeware.net/2007/01/06/756/

 

~Ben

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann
Sent: Monday, January 08, 2007 2:42 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Decode the msExchMailboxSecurityDescriptor attribute.

 

Hello,

 

I'd like to dump the msExchMailboxSecurityDescriptor attribute of a user object 
into readable format. It seems that the value is in binary blob format.

 

Is there a way to do this ?

 

Thanks,

 

Yann

 

 __
Do You Yahoo!?
En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible 
contre les messages non sollicités 
http://mail.yahoo.fr Yahoo! Mail 

[ActiveDir] Decode the msExchMailboxSecurityDescriptor attribute.

[Yann]

Hello,
   
  I'd like to dump the msExchMailboxSecurityDescriptor attribute of a user 
object into readable format. It seems that the value is in binary blob format.
   
  Is there a way to do this ?
   
  Thanks,
   
  Yann
   

 __
Do You Yahoo!?
En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible 
contre les messages non sollicités 
http://mail.yahoo.fr Yahoo! Mail 

Re: [ActiveDir] Risks of exposure of machine account passwords

[Michael B Allen]

On Mon, 8 Jan 2007 15:33:01 -0500
"joe" <[EMAIL PROTECTED]> wrote:

> A dirty trick I have used in the
> past to disprove how secure an environment was was to set up a web site on a
> workstation, enable basic auth only, write a little perl cgi script to write
> the creds sent to the website to a log file and throw up a website
> unavailable screen and then tell admins that I have a web site that doens't
> seem to authenticate users properly could they try to logon to see if it is
> just my test IDs or a permission problem. I would say at least 50%-60% of
> the time the admins will go to the page and type in their creds. Alternately
> try to get an admin to log into a workstation I control. In far too many
> cases I think you will find admins are user's too... :) 

If you already own a machine with an FQDN and you can send email to people
as someone internal then it would be pretty hard to keep you out since
you're already somewhat trusted. You can't treat everyone inside
your network like criminals or you'll never get anything done. And if
you do have a criminal inside you should take it up with HR not IT.

But I can add an improved permutation to your dirty trick. Send out an
email with a link to your site but use NTLM SSO pass-through to create a
bogus account with a predefined password. If someone with domain admin
privs so much as stumbles across your site they will create the said
account and not even know they did it. No credentials necessary and no
SSO account necessary. Just a website with an FQDN.

There is one simple security setting that will thwart this attack
though. For bonus points, does anyone know what it is? :->

Mike

-- 
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

Re: [ActiveDir] Risks of exposure of machine account passwords

[Michael B Allen]

On Mon, 8 Jan 2007 10:39:17 -0800
"Mr Oteece" <[EMAIL PROTECTED]> wrote:

> What are the risks associated with the exposure of machine account passwords
> in Active Directory? Passwords are changed for machine accounts regularly,
> but they don't really expire and can get rather old. If an attacker has
> access to this password, what sort of access would he have to other systems
> on the network via Kerberos? i.e., would he be able to forge service tickets
> as other users and elevate his access elsewhere? The laxness of policy
> surrounding these accounts suggests that this is not a huge risk. Should we
> be more concerned with these old passwords?

Those passwords are long, random and changed automatically over an
schannel NETLOGON pipe. I don't know how their stored by the client but
I think it's highly unlikely anyone would be able to actually extract
one or snoop it.

Mike

-- 
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

Re: [ActiveDir] Risks of exposure of machine account passwords

[Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]]

Assuming you have LC3 still around... now you have to use other tools.

However, the cracking ease is dependent upon the lanman hash settings.  
If you have 98/NT, other alternative OSs and have to have lanman 
enabled.it's trivial if you are on the lan to crack the passwords 
using (and I forget the group that took LC3 and now have made it 
opensource) LC3's equivalent.


Ziots, Edward wrote:
Actually Machine password can be extracted from LC3 and higher, done 
it myself, and it seems that Windows Choice of Secure password with 
the DC's insist that hard to crack. You can also use Opcrack with 
rainbow tables, and cachedump or pwdump3e to get the computer account 
hash and crack that bugger simply.
 
I agree, its gotta usuallybe an inside job to get it, and the computer 
account could prove less fruitful, than a juicer user account with 
higher level access, but its an interesting way to hack I suppose.
 
TY

Z
 


Edward E. Ziots
Network Engineer
Lifespan Organization
MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security +
email:[EMAIL PROTECTED]
cell:401-639-3505

 



*From:* [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] *On Behalf Of *joe

*Sent:* Monday, January 08, 2007 3:33 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] Risks of exposure of machine account passwords

If an attacker gets access to a machine account password they can 
connect to AD as that computer which is usually just normal user 
access rights. In fact, if you set up an auth as the computer and tap 
an ADAM instance and look at the RootDSE it will show you the groups 
you are a member of that are right for that context. For example:
 
>tokenGroups: TEST\TESTCMP$

>tokenGroups: TEST\Domain Computers
>tokenGroups: Everyone
>tokenGroups: BUILTIN\Users
>tokenGroups: NT AUTHORITY\NETWORK
>tokenGroups: NT AUTHORITY\Authenticated Users
>tokenGroups: NT AUTHORITY\This Organization
 
I don't think overall that computer accounts are any more risky than 
normal userids. On the flip side, I think it is silly to leave enabled 
machine accounts lying around for computers that you are relatively 
sure will never reconnect. That is why I wrote oldcmp and make it 
available to everyone.
 
The key part is as Al mentioned, how did they get that password? I 
don't recall seeing anything that will extract that from a machine and 
even so, I expect it is much easier and useful to target user 
passwords than computer passwords - primarily admin type user's. A 
dirty trick I have used in the past to disprove how secure an 
environment was was to set up a web site on a workstation, enable 
basic auth only, write a little perl cgi script to write the creds 
sent to the website to a log file and throw up a website unavailable 
screen and then tell admins that I have a web site that doens't seem 
to authenticate users properly could they try to logon to see if it is 
just my test IDs or a permission problem. I would say at least 50%-60% 
of the time the admins will go to the page and type in their creds. 
Alternately try to get an admin to log into a workstation I control. 
In far too many cases I think you will find admins are user's too... :)
 
  joe
 
 
--
O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm 
 
 



*From:* [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] *On Behalf Of *Mr Oteece

*Sent:* Monday, January 08, 2007 1:39 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* [ActiveDir] Risks of exposure of machine account passwords

What are the risks associated with the exposure of machine account 
passwords in Active Directory? Passwords are changed for machine 
accounts regularly, but they don't really expire and can get rather 
old. If an attacker has access to this password, what sort of access 
would he have to other systems on the network via Kerberos? i.e., 
would he be able to forge service tickets as other users and elevate 
his access elsewhere? The laxness of policy surrounding these accounts 
suggests that this is not a huge risk. Should we be more concerned 
with these old passwords?
 
Otis 


--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com


If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will 
hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

Re: [ActiveDir] Risks of exposure of machine account passwords

[Al Mulnick]

I'm not sure I could forge new tickets as an authenticated user, to be
honest.  I never really tried though I suspect that's more difficult than I
need to attempt because if I have that information, I already know enough
and have enough to mount a plausible attack.

In short, I never took it to the next step because that's more work than
needed.

As joe points out, you have authenticated user rights.  That's no different
than any other type of security account.

So your implied question, "Can I elevate my credentials if I have access to
your network as an authenticated user" is the one I think is relevant here.
I don't differentiate between a computer sec prin and a user sec prin.  They
are the same as far as I'm concerned and for the intents and purposes of
this conversation.

The short answer = I have a lot better chance of elevating my privs if I
have access to your network than if I don't, whether as a user or not. Just
because the user is an inanimate object doesn't make them any less/more of a
risk than a computer ;)

Al


On 1/8/07, Mr Oteece <[EMAIL PROTECTED]> wrote:


The question is whether having the machine account password and access to
that system gives you any ability to impersonate users or elevate your
access to other systems. Presumably, if you could get into the protected
store, you could compromise any locally cached tickets for other users to
specific services on remote systems. This is perhaps non-trivial on Windows
systems, but becomes a lot easier when you are root on a *nix system that is
using Kerberos against AD. Sticking just to Windows, could you conceivably
forge new tickets to remote  resources as an arbitrary user?  That would
be the rationale for attacking the computer account rather than a user
account. More bang for the buck.


On 1/8/07, Al Mulnick <[EMAIL PROTECTED]> wrote:
>
> I haven't tried it, but I would have assumed (I know, I know) that if
> somebody *could* gain the computer account password:
> 1) you have much bigger issues
> 2) they would have access to a machine.  See #1
> 3) they would have access to anything that authenticated users have
> access to. See #1
> 4) they know enough about your systems to mount a pretty good attack.
> See #1
>
> IIRC, machine accounts can get old for various but legitimate reasons.
> Consider a laptop that hasn't been back on your trusted network for over 30
> days.  It would have an old password, but it may be legitimate and may come
> back to your network in the next 60 and would be able to synchronize it's
> password changes then.
>
> You really have to protect the source of the machine account password
> which is random and is not readily available.
>
> Do you have a way to get the machine account passwords? If so, why?  And
> if you have them, why don't you just go after the user passwords?
>
> On 1/8/07, Mr Oteece < [EMAIL PROTECTED]> wrote:
> >
> > What are the risks associated with the exposure of machine account
> > passwords in Active Directory? Passwords are changed for machine accounts
> > regularly, but they don't really expire and can get rather old. If an
> > attacker has access to this password, what sort of access would he have to
> > other systems on the network via Kerberos? i.e., would he be able to
> > forge service tickets as other users and elevate his access elsewhere? The
> > laxness of policy surrounding these accounts suggests that this is not a
> > huge risk. Should we be more concerned with these old passwords?
> >
> > Otis
> >
>
>

RE: [ActiveDir] Risks of exposure of machine account passwords

[Ziots, Edward]

Actually Machine password can be extracted from LC3 and higher, done it
myself, and it seems that Windows Choice of Secure password with the
DC's insist that hard to crack. You can also use Opcrack with rainbow
tables, and cachedump or pwdump3e to get the computer account hash and
crack that bugger simply. 
 
I agree, its gotta usuallybe an inside job to get it, and the computer
account could prove less fruitful, than a juicer user account with
higher level access, but its an interesting way to hack I suppose. 
 
TY
Z
 

Edward E. Ziots 
Network Engineer 
Lifespan Organization 
MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security + 
email:[EMAIL PROTECTED] 
cell:401-639-3505 

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, January 08, 2007 3:33 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Risks of exposure of machine account passwords


If an attacker gets access to a machine account password they can
connect to AD as that computer which is usually just normal user access
rights. In fact, if you set up an auth as the computer and tap an ADAM
instance and look at the RootDSE it will show you the groups you are a
member of that are right for that context. For example:
 
>tokenGroups: TEST\TESTCMP$
>tokenGroups: TEST\Domain Computers
>tokenGroups: Everyone
>tokenGroups: BUILTIN\Users
>tokenGroups: NT AUTHORITY\NETWORK
>tokenGroups: NT AUTHORITY\Authenticated Users
>tokenGroups: NT AUTHORITY\This Organization
 
I don't think overall that computer accounts are any more risky than
normal userids. On the flip side, I think it is silly to leave enabled
machine accounts lying around for computers that you are relatively sure
will never reconnect. That is why I wrote oldcmp and make it available
to everyone. 
 
The key part is as Al mentioned, how did they get that password? I don't
recall seeing anything that will extract that from a machine and even
so, I expect it is much easier and useful to target user passwords than
computer passwords - primarily admin type user's. A dirty trick I have
used in the past to disprove how secure an environment was was to set up
a web site on a workstation, enable basic auth only, write a little perl
cgi script to write the creds sent to the website to a log file and
throw up a website unavailable screen and then tell admins that I have a
web site that doens't seem to authenticate users properly could they try
to logon to see if it is just my test IDs or a permission problem. I
would say at least 50%-60% of the time the admins will go to the page
and type in their creds. Alternately try to get an admin to log into a
workstation I control. In far too many cases I think you will find
admins are user's too... :) 
 
  joe
 
 
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 
 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mr Oteece
Sent: Monday, January 08, 2007 1:39 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Risks of exposure of machine account passwords


What are the risks associated with the exposure of machine account
passwords in Active Directory? Passwords are changed for machine
accounts regularly, but they don't really expire and can get rather old.
If an attacker has access to this password, what sort of access would he
have to other systems on the network via Kerberos? i.e., would he be
able to forge service tickets as other users and elevate his access
elsewhere? The laxness of policy surrounding these accounts suggests
that this is not a huge risk. Should we be more concerned with these old
passwords? 
 
Otis 

RE: [ActiveDir] Risks of exposure of machine account passwords

[joe]

If an attacker gets access to a machine account password they can connect to
AD as that computer which is usually just normal user access rights. In
fact, if you set up an auth as the computer and tap an ADAM instance and
look at the RootDSE it will show you the groups you are a member of that are
right for that context. For example:
 
>tokenGroups: TEST\TESTCMP$
>tokenGroups: TEST\Domain Computers
>tokenGroups: Everyone
>tokenGroups: BUILTIN\Users
>tokenGroups: NT AUTHORITY\NETWORK
>tokenGroups: NT AUTHORITY\Authenticated Users
>tokenGroups: NT AUTHORITY\This Organization
 
I don't think overall that computer accounts are any more risky than normal
userids. On the flip side, I think it is silly to leave enabled machine
accounts lying around for computers that you are relatively sure will never
reconnect. That is why I wrote oldcmp and make it available to everyone. 
 
The key part is as Al mentioned, how did they get that password? I don't
recall seeing anything that will extract that from a machine and even so, I
expect it is much easier and useful to target user passwords than computer
passwords - primarily admin type user's. A dirty trick I have used in the
past to disprove how secure an environment was was to set up a web site on a
workstation, enable basic auth only, write a little perl cgi script to write
the creds sent to the website to a log file and throw up a website
unavailable screen and then tell admins that I have a web site that doens't
seem to authenticate users properly could they try to logon to see if it is
just my test IDs or a permission problem. I would say at least 50%-60% of
the time the admins will go to the page and type in their creds. Alternately
try to get an admin to log into a workstation I control. In far too many
cases I think you will find admins are user's too... :) 
 
  joe
 
 
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mr Oteece
Sent: Monday, January 08, 2007 1:39 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Risks of exposure of machine account passwords


What are the risks associated with the exposure of machine account passwords
in Active Directory? Passwords are changed for machine accounts regularly,
but they don't really expire and can get rather old. If an attacker has
access to this password, what sort of access would he have to other systems
on the network via Kerberos? i.e., would he be able to forge service tickets
as other users and elevate his access elsewhere? The laxness of policy
surrounding these accounts suggests that this is not a huge risk. Should we
be more concerned with these old passwords? 
 
Otis 

Re: [ActiveDir] Moving ADC

[AdamT]

On 08/01/07, dinesh shinde <[EMAIL PROTECTED]> wrote:



Hello Can someone help me on the below issue?



I don't mean to come across as being awkward, but I found it difficult
to understand what it is you're trying to do.  Could you perhaps
rephrase it a little?

Regards,

--
AdamT
"A casual stroll through the lunatic asylum shows that faith does not
prove anything." - Nietzsche
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

Re: [ActiveDir] Roaming Profiles not updating

[AdamT]

On 08/01/07, Ernesto Nieto <[EMAIL PROTECTED]> wrote:


The users keep telling me that when they delete icons from their desktop,
the settings stay, but maybe a week or two later, all those desktop icons
that they deleted return.  What I can't pinpoint is the why the profile
doesn't update.  I think the old profile returns when the tablet is used.
The tablet PC is wireless too, which they take home.


Do they always use the same tablet PCs?  Or do they swap around a lot?

Is it possible that the wireless driver doesn't inintialise until
after the user has logged on, and so by the time the device has an IP
address, a cached profile has already been loaded?

--
AdamT
"A casual stroll through the lunatic asylum shows that faith does not
prove anything." - Nietzsche
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

Re: [ActiveDir] Risks of exposure of machine account passwords

[Mr Oteece]

The question is whether having the machine account password and access to
that system gives you any ability to impersonate users or elevate your
access to other systems. Presumably, if you could get into the protected
store, you could compromise any locally cached tickets for other users to
specific services on remote systems. This is perhaps non-trivial on Windows
systems, but becomes a lot easier when you are root on a *nix system that is
using Kerberos against AD. Sticking just to Windows, could you conceivably
forge new tickets to remote  resources as an arbitrary user?  That would be
the rationale for attacking the computer account rather than a user account.
More bang for the buck.


On 1/8/07, Al Mulnick <[EMAIL PROTECTED]> wrote:


I haven't tried it, but I would have assumed (I know, I know) that if
somebody *could* gain the computer account password:
1) you have much bigger issues
2) they would have access to a machine.  See #1
3) they would have access to anything that authenticated users have access
to. See #1
4) they know enough about your systems to mount a pretty good attack. See
#1

IIRC, machine accounts can get old for various but legitimate reasons.
Consider a laptop that hasn't been back on your trusted network for over 30
days.  It would have an old password, but it may be legitimate and may come
back to your network in the next 60 and would be able to synchronize it's
password changes then.

You really have to protect the source of the machine account password
which is random and is not readily available.

Do you have a way to get the machine account passwords? If so, why?  And
if you have them, why don't you just go after the user passwords?

On 1/8/07, Mr Oteece <[EMAIL PROTECTED]> wrote:
>
> What are the risks associated with the exposure of machine account
> passwords in Active Directory? Passwords are changed for machine accounts
> regularly, but they don't really expire and can get rather old. If an
> attacker has access to this password, what sort of access would he have to
> other systems on the network via Kerberos? i.e., would he be able to
> forge service tickets as other users and elevate his access elsewhere? The
> laxness of policy surrounding these accounts suggests that this is not a
> huge risk. Should we be more concerned with these old passwords?
>
> Otis
>

Re: [ActiveDir] Risks of exposure of machine account passwords

[Al Mulnick]

I haven't tried it, but I would have assumed (I know, I know) that if
somebody *could* gain the computer account password:
1) you have much bigger issues
2) they would have access to a machine.  See #1
3) they would have access to anything that authenticated users have access
to. See #1
4) they know enough about your systems to mount a pretty good attack. See #1

IIRC, machine accounts can get old for various but legitimate reasons.
Consider a laptop that hasn't been back on your trusted network for over 30
days.  It would have an old password, but it may be legitimate and may come
back to your network in the next 60 and would be able to synchronize it's
password changes then.

You really have to protect the source of the machine account password which
is random and is not readily available.

Do you have a way to get the machine account passwords? If so, why?  And if
you have them, why don't you just go after the user passwords?

On 1/8/07, Mr Oteece <[EMAIL PROTECTED]> wrote:


What are the risks associated with the exposure of machine account
passwords in Active Directory? Passwords are changed for machine accounts
regularly, but they don't really expire and can get rather old. If an
attacker has access to this password, what sort of access would he have to
other systems on the network via Kerberos? i.e., would he be able to forge
service tickets as other users and elevate his access elsewhere? The laxness
of policy surrounding these accounts suggests that this is not a huge risk.
Should we be more concerned with these old passwords?

Otis

[ActiveDir] Risks of exposure of machine account passwords

[Mr Oteece]

What are the risks associated with the exposure of machine account passwords
in Active Directory? Passwords are changed for machine accounts regularly,
but they don't really expire and can get rather old. If an attacker has
access to this password, what sort of access would he have to other systems
on the network via Kerberos? i.e., would he be able to forge service tickets
as other users and elevate his access elsewhere? The laxness of policy
surrounding these accounts suggests that this is not a huge risk. Should we
be more concerned with these old passwords?

Otis

RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?)

[Javier Jarava]

Hi, Neil!!

That's another thing I'll have to look into :) I am aware that it's possile
to do DHCP-proxy to pass along the DHCP requests to the proper servers.
That's something that will have to be done, as the client's network is split
in different VLAN segments, and in multiple locations/sites, and they'd like
to have a reduced number of DHCP servers.

But, useful and necessary as it is, this won't prevent a rogue/malicious
DHCP server on the same LAN segment from playing havoc with the systems.

Thanks for the heads-up though.

Javier Jarava

-Mensaje original-
De: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] En nombre de
[EMAIL PROTECTED]
Enviado el: lunes, 08 de enero de 2007 14:33
Para: ActiveDir@mail.activedir.org
Asunto: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP
servers? (or how do you find it?)

In addition to the below, routers can be configured to only forward
BOOTP packets to/from 'authorised' DHCP servers.

neil


___ 
Neil Ruston 
Global Technology Infrastructure 
Nomura International plc 
Telephone: +44 (0) 20 7521 3481 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade
Sent: 08 January 2007 13:27
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP
servers? (or how do you find it?)

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava
> Sent: 08 January 2007 12:20
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP 
> servers? (or how do you find it?)
> 
> Hi all!
> 
> Just wondering, is there a way to "prevent" a rogue DCHP server from 
> playing havoc with a network?
> 
> I have been digging into "dhcp security" but I haven't really found 
> anything that makes it possible to auth. a DHCP server, so that the 
> clients don't fall for a rogue one.
> 
> >From what I've seen, the approach MS follows is that IF your DHCP 
> >server is
> Windows-based, you have to "auth" it on the Domain. That prevents the 
> AD/infrastructure admins from shooting themselves on the foot by 
> having too many/improperly configured servers.. But that won't stop a 
> rogue VM from being a nuisance...
> 
> I've found this problem in one of our customers sites. They use static

> IP addressing, but we were setting up a few of their computers with a 
> different sw load and configuration, and they wanted to use DHCP to 
> make config changes more dynamic. When running on an isolated netowork

> segment, all was fine, but once we moved "into" their network (to do a

> pilot test) we found a DHCP server serving a range outside their own, 
> and really messing things up.

You could try using DHCP classid. If you set it on your clients when you
build them they will ignore anything with the "wrong" classid. I think
you can also control via group policy.


> What's more, nmap'ing the server, it had a VMWARE-owned MAC and no 
> open ports whatsoever (tcp/udp), at least that I could find. Strange 
> ;)
>

Probably an XP system with the firewall on. A real pain to manage
 
> We managed to overcome the issuse because the software load included 
> an IP filtering component, so we decided to block
> UDP/67 and UDP/68 traffic from all IP addresses and only allow it for 
> 255.255.255.255 and the IP address of the servers we were going to 
> use... But using a whitelist is a bit of a PITA, so I was wondering if

> there was some other "cleaner" way to do it..
> 
> Thank a lot in advance
> 
>   Javier J
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> 
> 


**
This email, and any files transmitted with it, is confidential and
intended solely for the use of the individual or entity to whom they are
addressed. As a public body, the Council may be required to disclose
this email,  or any response to it,  under the Freedom of Information
Act 2000, unless the information in it is covered by one of the
exemptions in the Act. 

If you receive this email in error please notify Stockport e-Services
via [EMAIL PROTECTED] and then permanently remove it from
your system. 

Thank you.

http://www.stockport.gov.uk
**

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx



PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method 

RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?)

[Javier Jarava]

Hi!

Thanks for the tips on usign classid. Unfortunately, I'm not that sure if
that'd work...

>From what I've been able to read / see about DHCP ClassID, it's not really
meant as a way to filter/select a DHCP server or to avoid getting a response
from a "wrong" server, but more as a way for a server to filter/refine the
results that the server sends back to the client. In this case, it's not
really a case of "get the proper options" but rather of "not talk to the
wrong server".. Of course, I might be wrong (and in this case, I'd really
love to be proven wrong ;) But from I've seen at:
http://technet2.microsoft.com/WindowsServer/en/library/13cbcfbd-2d9d-40fd-8b
54-5c8090924eb21033.mspx?mfr=true the classess are to be able to provide
specialized/extra info to clients.

I've done a bit of testing: I've set up one VM (XP SP2) with a (user)
classid on its lan, and a W2003 DHCP VM Server with different options
depending on the ClassID. The behaviour is as expected, the system gets
different options (DNS servers, etc) depending on the classid.

After that, I've turned off the DHCP server and started the VMware DHCP
Service (where no classid or other options have been set). I've done a
release/refresh on the network card, and I get an IP address from the
"wrong" DHCP server (the desired behaviour is, if no "good" DHCP servers are
listening, then the client should get no IP address). Maybe the client will
be able to reject the offer from the wrong DHCP server when it (also) gets
an offer from the proper DHCP server that is "branded" with the ClassID, but
although somewhat useful that's not what I'm after...

Maybe someone more familiar with DHCP than myself might correct me if my
understanding of classid is wrong?

Thanks a lot in advance.

Javier Jarava


-Mensaje original-
De: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] En nombre de Dave Wade
Enviado el: lunes, 08 de enero de 2007 14:27
Para: ActiveDir@mail.activedir.org
Asunto: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP
servers? (or how do you find it?)

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava
> Sent: 08 January 2007 12:20
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Likely OT: :) Managing/preventing 
> "rogue" DHCP servers? (or how do you find it?)
> 
> Hi all!
> 
> Just wondering, is there a way to "prevent" a rogue DCHP 
> server from playing havoc with a network?
> 
> I have been digging into "dhcp security" but I haven't really 
> found anything that makes it possible to auth. a DHCP server, 
> so that the clients don't fall for a rogue one.
> 
> >From what I've seen, the approach MS follows is that IF your DHCP 
> >server is
> Windows-based, you have to "auth" it on the Domain. That 
> prevents the AD/infrastructure admins from shooting 
> themselves on the foot by having too many/improperly 
> configured servers.. But that won't stop a rogue VM from 
> being a nuisance...
> 
> I've found this problem in one of our customers sites. They 
> use static IP addressing, but we were setting up a few of 
> their computers with a different sw load and configuration, 
> and they wanted to use DHCP to make config changes more 
> dynamic. When running on an isolated netowork segment, all 
> was fine, but once we moved "into" their network (to do a 
> pilot test) we found a DHCP server serving a range outside 
> their own, and really messing things up.

You could try using DHCP classid. If you set it on your clients when you
build them they will ignore anything with the "wrong" classid. I think
you can also control via group policy.


> What's more, nmap'ing the server, it had a VMWARE-owned MAC 
> and no open ports whatsoever (tcp/udp), at least that I could 
> find. Strange ;)
>

Probably an XP system with the firewall on. A real pain to manage
 
> We managed to overcome the issuse because the software load 
> included an IP filtering component, so we decided to block 
> UDP/67 and UDP/68 traffic from all IP addresses and only 
> allow it for 255.255.255.255 and the IP address of the 
> servers we were going to use... But using a whitelist is a 
> bit of a PITA, so I was wondering if there was some other 
> "cleaner" way to do it..
> 
> Thank a lot in advance
> 
>   Javier J
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> 
> 


**
This email, and any files transmitted with it, is confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose
this email,  or any response to it,  under the Freedom of Information Act
2000, unless the information in it is covered by one of the exemptions in
the Act. 

If you receive this email in error please notify Stockport e-Services

RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?)

[Javier Jarava]

Thanks a lot for the info. Will look into that carefully ;)

Javier J 

-Mensaje original-
De: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] En nombre de James (njan)
Eaton-Lee
Enviado el: lunes, 08 de enero de 2007 16:55
Para: ActiveDir@mail.activedir.org
Asunto: Re: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP
servers? (or how do you find it?)

Javier Jarava wrote:
> Hi all!
> 
> Just wondering, is there a way to "prevent" a rogue DCHP server from
playing
> havoc with a network?
> 
> I have been digging into "dhcp security" but I haven't really found
anything
> that makes it possible to auth. a DHCP server, so that the clients don't
> fall for a rogue one.

I wrote a paper on this (and put the slides for a presentation I did on 
it online). At the time (and still, apart from what I've stuck online), 
there doesn't seem to be any definitive guide to why DHCP is insecure 
and what one might do to improve it. It's not totally exhaustive, but I 
think it's reasonable:

http://www.jeremiad.org/download.shtml

Hope that helps! Feedback welcome, if anyone reads it ;)

  - James.

-- 
   James (njan) Eaton-Lee | UIN: 10807960 | http://www.jeremiad.org

   "The universe is run by the complex interweaving of three
   elements: Energy, matter, and enlightened self-interest." - G'Kar

  https://www.bsrf.org.uk | ca: https://www.cacert.org/index.php?id=3
-- 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] Roaming Profiles not updating

[Dave Wade]

Check the event log to see why the profile doe not unload. On our
machines something keeps the registry open. Installing this fix seems to
cure it for us...

http://www.microsoft.com/downloads/details.aspx?familyid=1B286E6D-8912-4
E18-B570-42470E2F3582&displaylang=en

Dave.

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Ernesto Nieto
> Sent: 08 January 2007 15:13
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Roaming Profiles not updating
> 
> I'm having some problems with roaming profiles.
> I have several users that use 3 different computers.
> 1 is a table pc, and two are workstations, and sometimes the 
> OS on the workstation can be XP or win2k.
> 
> The users keep telling me that when they delete icons from 
> their desktop, the settings stay, but maybe a week or two 
> later, all those desktop icons that they deleted return.  
> What I can't pinpoint is the why the profile doesn't update.  
> I think the old profile returns when the tablet is used.
> The tablet PC is wireless too, which they take home.
> 
> Any ideas?
> 
> Ernesto
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> 
> 


**
This email, and any files transmitted with it, is confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this 
email,  or any response to it,  under the Freedom of Information Act 2000, 
unless the information in it is covered by one of the exemptions in the Act. 

If you receive this email in error please notify Stockport e-Services via 
[EMAIL PROTECTED] and then permanently remove it from your system. 

Thank you.

http://www.stockport.gov.uk
**

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] Roaming Profiles not updating

[Ziots, Edward]

UPH is your friend, it rocks, especially in TSE environment, but can
work for roaming profiles also. 

Z 


Edward E. Ziots
Network Engineer
Lifespan Organization
MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security +
email:[EMAIL PROTECTED]
cell:401-639-3505

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Monday, January 08, 2007 10:44 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Roaming Profiles not updating

Ernesto-
Profiles are notorious for not completely unloading at logoff (i.e.
resource handles "leak" and remain open). As a result, the profile is
unable to copy up to the central server and therefore the server version
doesn't get updated. If that is the problem here, then you can get a
hold of the User Profile Hive Cleanup service on the MS download site,
and install it on the Tablet PC if you think that is the issue. Also,
keep in mind that user profiles don't get written up to the roaming
profile until a user logs off.
So if a user stays logged onto a machine where they deleted those icons,
and then went to another machine without logging off of the first, and
made some changes, then logged off--that second machine would write up
the profile with the icons intact. Then, going back to the first machine
would of course result in the icons not being there. 

Darren



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ernesto Nieto
Sent: Monday, January 08, 2007 7:13 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Roaming Profiles not updating

I'm having some problems with roaming profiles.
I have several users that use 3 different computers.
1 is a table pc, and two are workstations, and sometimes the OS on the
workstation can be XP or win2k.

The users keep telling me that when they delete icons from their
desktop, the settings stay, but maybe a week or two later, all those
desktop icons that they deleted return.  What I can't pinpoint is the
why the profile doesn't update.  I think the old profile returns when
the tablet is used.
The tablet PC is wireless too, which they take home.

Any ideas?

Ernesto


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

Re: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?)

[James (njan) Eaton-Lee]

Javier Jarava wrote:

Hi all!

Just wondering, is there a way to "prevent" a rogue DCHP server from playing
havoc with a network?

I have been digging into "dhcp security" but I haven't really found anything
that makes it possible to auth. a DHCP server, so that the clients don't
fall for a rogue one.


I wrote a paper on this (and put the slides for a presentation I did on 
it online). At the time (and still, apart from what I've stuck online), 
there doesn't seem to be any definitive guide to why DHCP is insecure 
and what one might do to improve it. It's not totally exhaustive, but I 
think it's reasonable:


http://www.jeremiad.org/download.shtml

Hope that helps! Feedback welcome, if anyone reads it ;)

 - James.

--
  James (njan) Eaton-Lee | UIN: 10807960 | http://www.jeremiad.org

  "The universe is run by the complex interweaving of three
  elements: Energy, matter, and enlightened self-interest." - G'Kar

 https://www.bsrf.org.uk | ca: https://www.cacert.org/index.php?id=3
--


smime.p7s
Description: S/MIME Cryptographic Signature

RE: [ActiveDir] Roaming Profiles not updating

[Darren Mar-Elia]

Ernesto-
Profiles are notorious for not completely unloading at logoff (i.e. resource
handles "leak" and remain open). As a result, the profile is unable to copy
up to the central server and therefore the server version doesn't get
updated. If that is the problem here, then you can get a hold of the User
Profile Hive Cleanup service on the MS download site, and install it on the
Tablet PC if you think that is the issue. Also, keep in mind that user
profiles don't get written up to the roaming profile until a user logs off.
So if a user stays logged onto a machine where they deleted those icons, and
then went to another machine without logging off of the first, and made some
changes, then logged off--that second machine would write up the profile
with the icons intact. Then, going back to the first machine would of course
result in the icons not being there. 

Darren



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ernesto Nieto
Sent: Monday, January 08, 2007 7:13 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Roaming Profiles not updating

I'm having some problems with roaming profiles.
I have several users that use 3 different computers.
1 is a table pc, and two are workstations, and sometimes the OS on the
workstation can be XP or win2k.

The users keep telling me that when they delete icons from their desktop,
the settings stay, but maybe a week or two later, all those desktop icons
that they deleted return.  What I can't pinpoint is the why the profile
doesn't update.  I think the old profile returns when the tablet is used.
The tablet PC is wireless too, which they take home.

Any ideas?

Ernesto


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

[ActiveDir] Roaming Profiles not updating

[Ernesto Nieto]

I'm having some problems with roaming profiles.
I have several users that use 3 different computers.
1 is a table pc, and two are workstations, and sometimes the OS on the
workstation can be XP or win2k.

The users keep telling me that when they delete icons from their desktop,
the settings stay, but maybe a week or two later, all those desktop icons
that they deleted return.  What I can't pinpoint is the why the profile
doesn't update.  I think the old profile returns when the tablet is used.
The tablet PC is wireless too, which they take home.

Any ideas?

Ernesto


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?)

[Javier Jarava]

Hi!

Thanks for the answer. The issue is/was, the client has a pretty big network
and they don't have layer 1 access control in place. They DO have their
network segmented using VLANs, at least on their HQ, where the testing was
takin place.

So we "knew" the rogue server was "close" to where we were testing: in the
same VLAN. But that VLAN includes everybody from their IT dept (and they're
a BIG client, with over 50,000 users in several hundreds, if not thousands,
of locations, so they have a big IT dept).

Another issue (not sure if it's relevant) is that the MAC address of the
rogue server suggested that the server was in fact an VMWARE VM... So if the
host computer has a "valid" network port on the switch, I guess that any of
the VMs that use the same physical network card would be allowed to connect
to the network

-Mensaje original-
De: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] En nombre de Myrick, Todd
(NIH/CC/DCRI) [E]
Enviado el: lunes, 08 de enero de 2007 13:46
Para: ActiveDir@mail.activedir.org
Asunto: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP
servers? (or how do you find it?)

Best I have seen is to control physical access to your network at layer
1.

Things to include, don't activate ports until the device is provisioned.
You might try a network monitor configured to listen for unauthorized
offers from servers.  The solution you posted below is pretty slick as
well.

It all depends on how secure your client wants their network to be ...
and how useable.

Todd  

-Original Message-
From: Javier Jarava [mailto:[EMAIL PROTECTED] 
Sent: Monday, January 08, 2007 7:20 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP
servers? (or how do you find it?)

Hi all!

Just wondering, is there a way to "prevent" a rogue DCHP server from
playing
havoc with a network?

I have been digging into "dhcp security" but I haven't really found
anything
that makes it possible to auth. a DHCP server, so that the clients don't
fall for a rogue one.

>From what I've seen, the approach MS follows is that IF your DHCP
server is
Windows-based, you have to "auth" it on the Domain. That prevents the
AD/infrastructure admins from shooting themselves on the foot by having
too
many/improperly configured servers.. But that won't stop a rogue VM from
being a nuisance...

I've found this problem in one of our customers sites. They use static
IP
addressing, but we were setting up a few of their computers with a
different
sw load and configuration, and they wanted to use DHCP to make config
changes more dynamic. When running on an isolated netowork segment, all
was
fine, but once we moved "into" their network (to do a pilot test) we
found a
DHCP server serving a range outside their own, and really messing things
up.
What's more, nmap'ing the server, it had a VMWARE-owned MAC and no open
ports whatsoever (tcp/udp), at least that I could find. Strange ;)

We managed to overcome the issuse because the software load included an
IP
filtering component, so we decided to block UDP/67 and UDP/68 traffic
from
all IP addresses and only allow it for 255.255.255.255 and the IP
address of
the servers we were going to use... But using a whitelist is a bit of a
PITA, so I was wondering if there was some other "cleaner" way to do
it..

Thank a lot in advance

Javier J

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

Re: [ActiveDir] WSUS 3.0 beta 2

[Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]]

There is a WSUS beta newsgroup specifically for such questions. .. and 
BTW it's just about to shut down as they are nearing RC and I'm 
assuming that as this is a beta you've installed this in a test network 
only?


Haritwal, Dhiraj wrote:


Hi,

Does anyone knowing about WSUS 3.0 beta 2….actually I had installed it 
& facing some problem. So can anybody help me?


Dhiraj Haritwal



This email is confidential and intended only for the use of the 
individual or entity named above and may contain information that is 
privileged. If you are not the intended recipient, you are notified 
that any dissemination, distribution or copying of this email is 
strictly prohibited. If you have received this email in error, please 
notify us immediately by return email or telephone and destroy the 
original message. - This mail is sent via Sony Asia Pacific Mail Gateway.



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: RE: [ActiveDir] SID Deleted users remains in NTS permission.

[joe]

Oh great, like the water needed to be any muddier... 

Thanks Lee, I hadn't seen this yet. I will have to look into it. Something
that makes Exchange even more "special". Have I complained recently on how
much I dislike the Exchange permissioning model. ;o)  


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Lee Flight
Sent: Monday, January 08, 2007 8:35 AM
To: ActiveDir@mail.activedir.org
Subject: RE: RE: [ActiveDir] SID Deleted users remains in NTS permission.


One example that I would highlight that can muddy the water in 
attempting tracking of resolvable SIDs is that the SID might be from an 
Authority that does not resolve by a native windows mechanism/api e.g. an 
SD that contains a SID from the SECURITY_RESOURCE_MANAGER_AUTHORITY
(S-1-9-etc). I had not seen an example of this until a few months ago
when I noticed such SID appearing in DSACLS output in an Exchange 2007
deployment[1].

Lee Flight

[1]
See Table 3 in 
http://technet.microsoft.com/en-us/library/315d9c42-1ab4-4ef4-9292-12cdcb9c9
8cf.aspx



On Sun, 7 Jan 2007, joe wrote:

> Because as mentioned in my post, this is a very difficult and complex task
> given the current security infrastructure. There is nothing maintaining
> backlinks into where specific SIDs are used for ACLing. Even so, as Wook
and
> Deji and I all mentioned, there are times where something could have a SID
> in an ACL and be perfectly valid but some sort of burb or in progress
issue
> causes the SID to be temporarily unavailable. This kind of thing happens
> pretty regularly and people don't tend to catch it because MSFT,
> intelligently, didn't go through and scrub the ACLs when this occurred. If
> they did, people would be posting all of the time how some group or user
or
> other security principal lost access to something or in the case of DENY
> ACEs all of a sudden had access to something. It is a very fine line
between
> being helpful and being destructive.
>
> In order to implement this so it was effective and efficient I would
> visualize something that would have to track ALL uses of SIDs (not just
file
> system or AD) with a backlink table and would somehow get notifications
when
> a security principal was truly deleted and it was intended to be so and
> wouldn't be coming back (i.e. someone didn't pull a whoops). The first is
> extremely involved but likely possible from a technical standpoint though
it
> would cause bloat somewhere where that info is stored. The second is near
> impossible, IMO, because it involves people not screwing up and I don't
> expect to see that day happen.
>
> A couple of other items to think about, you have more than ACes that have
> the SIDs in a security descriptor, you also have the owner and the group.
> You don't just want to zap the old value out, you want something there,
what
> do you put there? Administrators? LocalSystem? What? Now what if you want
to
> go clean all those up and reassign them to someone else? You are in the
same
> place you were when you had the old missing user/group object.
>
> I have posted this before (slightly different because then it included
DNs),
> but here is a portion of the list list of objects that can have SIDs
> embedded:
>
> 1. Windows Security Descriptors - this includes any kernel securable
objects
> that can accept a security descriptor as well as many other objects that
> have "customized" ACL-like definitions like the customSD for event logs. A
> partial list of the "official" securable objects off the top of my head:
>
> O Active Directory Objects
> O SAM Objects (users and groups on member machines)
> O File System Objects (files/directories)
> O Threads/Processes
> O Synchronization objects (mutexes, events, semaphores, timers)
> O Job Objects
> O Network shares
> O Printers
> O Services
> O As of 2003 SP1 the Service Control Manager itself
> O Registry keys
> O Windows Desktops and Windows Stations
> O Access tokens
> O File Mapping objects
> O Pipes (named or anonymous)
>
> Basically anything that allows you to pass in a SECURITY_ATTRIBUTES
> structure when creating the object plus more
>
> 2. Microsoft supplied Windows based applications. This includes things
like
> ADAM, SQL Server, Exchange, SharePoint, etc etc etc ad nauseum.
>
> 3. Third party applications that run on Windows and were written
"properly"
> to take advantage of Windows security. This list could be long and wide,
> there are hundreds of thousands of Windows applications out there.
>
> 4. Third party applications that run on Windows and were written
incorrectly
> to take advantage of Windows security. These apps don't use Windows
security
> descriptors, they use custom security structures that are based on Windows
> Security Descriptors or are completely different but rely on SIDs. An
> example here would be how the event log security stuff was implemented in
K3
> which uses a basic

RE: RE: [ActiveDir] SID Deleted users remains in NTS permission.

[Lee Flight]

One example that I would highlight that can muddy the water in 
attempting tracking of resolvable SIDs is that the SID might be from an 
Authority that does not resolve by a native windows mechanism/api e.g. an 
SD that contains a SID from the SECURITY_RESOURCE_MANAGER_AUTHORITY

(S-1-9-etc). I had not seen an example of this until a few months ago
when I noticed such SID appearing in DSACLS output in an Exchange 2007
deployment[1].

Lee Flight

[1]
See Table 3 in 
http://technet.microsoft.com/en-us/library/315d9c42-1ab4-4ef4-9292-12cdcb9c98cf.aspx




On Sun, 7 Jan 2007, joe wrote:


Because as mentioned in my post, this is a very difficult and complex task
given the current security infrastructure. There is nothing maintaining
backlinks into where specific SIDs are used for ACLing. Even so, as Wook and
Deji and I all mentioned, there are times where something could have a SID
in an ACL and be perfectly valid but some sort of burb or in progress issue
causes the SID to be temporarily unavailable. This kind of thing happens
pretty regularly and people don't tend to catch it because MSFT,
intelligently, didn't go through and scrub the ACLs when this occurred. If
they did, people would be posting all of the time how some group or user or
other security principal lost access to something or in the case of DENY
ACEs all of a sudden had access to something. It is a very fine line between
being helpful and being destructive.

In order to implement this so it was effective and efficient I would
visualize something that would have to track ALL uses of SIDs (not just file
system or AD) with a backlink table and would somehow get notifications when
a security principal was truly deleted and it was intended to be so and
wouldn't be coming back (i.e. someone didn't pull a whoops). The first is
extremely involved but likely possible from a technical standpoint though it
would cause bloat somewhere where that info is stored. The second is near
impossible, IMO, because it involves people not screwing up and I don't
expect to see that day happen.

A couple of other items to think about, you have more than ACes that have
the SIDs in a security descriptor, you also have the owner and the group.
You don't just want to zap the old value out, you want something there, what
do you put there? Administrators? LocalSystem? What? Now what if you want to
go clean all those up and reassign them to someone else? You are in the same
place you were when you had the old missing user/group object.

I have posted this before (slightly different because then it included DNs),
but here is a portion of the list list of objects that can have SIDs
embedded:

1. Windows Security Descriptors - this includes any kernel securable objects
that can accept a security descriptor as well as many other objects that
have "customized" ACL-like definitions like the customSD for event logs. A
partial list of the "official" securable objects off the top of my head:

O Active Directory Objects
O SAM Objects (users and groups on member machines)
O File System Objects (files/directories)
O Threads/Processes
O Synchronization objects (mutexes, events, semaphores, timers)
O Job Objects
O Network shares
O Printers
O Services
O As of 2003 SP1 the Service Control Manager itself
O Registry keys
O Windows Desktops and Windows Stations
O Access tokens
O File Mapping objects
O Pipes (named or anonymous)

Basically anything that allows you to pass in a SECURITY_ATTRIBUTES
structure when creating the object plus more

2. Microsoft supplied Windows based applications. This includes things like
ADAM, SQL Server, Exchange, SharePoint, etc etc etc ad nauseum.

3. Third party applications that run on Windows and were written "properly"
to take advantage of Windows security. This list could be long and wide,
there are hundreds of thousands of Windows applications out there.

4. Third party applications that run on Windows and were written incorrectly
to take advantage of Windows security. These apps don't use Windows security
descriptors, they use custom security structures that are based on Windows
Security Descriptors or are completely different but rely on SIDs. An
example here would be how the event log security stuff was implemented in K3
which uses a basic Windows Security Descriptor SDDL format type that isn't
quite "standard".

5. Ditto #4 but running on non-Windows platforms.

6. Applications that use the groups for something other than security but
still use the SID for identification purposed to avoid rename issues. For
instance an IM app that uses groups for contact lists or an email app using
groups for mail distribution.

Numbers 3-6 are exceptionally hard to trace because in all but limited
cases, it is pretty much guaranteed no well known well used interface is
available to enumerate this info. You are completely dependent on how well
you understand your environment and how well you know the underpinnings of
what is running in that environment.

7. Any attr

RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?)

[neil.ruston]

In addition to the below, routers can be configured to only forward
BOOTP packets to/from 'authorised' DHCP servers.

neil


___ 
Neil Ruston 
Global Technology Infrastructure 
Nomura International plc 
Telephone: +44 (0) 20 7521 3481 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade
Sent: 08 January 2007 13:27
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP
servers? (or how do you find it?)

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava
> Sent: 08 January 2007 12:20
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP 
> servers? (or how do you find it?)
> 
> Hi all!
> 
> Just wondering, is there a way to "prevent" a rogue DCHP server from 
> playing havoc with a network?
> 
> I have been digging into "dhcp security" but I haven't really found 
> anything that makes it possible to auth. a DHCP server, so that the 
> clients don't fall for a rogue one.
> 
> >From what I've seen, the approach MS follows is that IF your DHCP 
> >server is
> Windows-based, you have to "auth" it on the Domain. That prevents the 
> AD/infrastructure admins from shooting themselves on the foot by 
> having too many/improperly configured servers.. But that won't stop a 
> rogue VM from being a nuisance...
> 
> I've found this problem in one of our customers sites. They use static

> IP addressing, but we were setting up a few of their computers with a 
> different sw load and configuration, and they wanted to use DHCP to 
> make config changes more dynamic. When running on an isolated netowork

> segment, all was fine, but once we moved "into" their network (to do a

> pilot test) we found a DHCP server serving a range outside their own, 
> and really messing things up.

You could try using DHCP classid. If you set it on your clients when you
build them they will ignore anything with the "wrong" classid. I think
you can also control via group policy.


> What's more, nmap'ing the server, it had a VMWARE-owned MAC and no 
> open ports whatsoever (tcp/udp), at least that I could find. Strange 
> ;)
>

Probably an XP system with the firewall on. A real pain to manage
 
> We managed to overcome the issuse because the software load included 
> an IP filtering component, so we decided to block
> UDP/67 and UDP/68 traffic from all IP addresses and only allow it for 
> 255.255.255.255 and the IP address of the servers we were going to 
> use... But using a whitelist is a bit of a PITA, so I was wondering if

> there was some other "cleaner" way to do it..
> 
> Thank a lot in advance
> 
>   Javier J
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> 
> 


**
This email, and any files transmitted with it, is confidential and
intended solely for the use of the individual or entity to whom they are
addressed. As a public body, the Council may be required to disclose
this email,  or any response to it,  under the Freedom of Information
Act 2000, unless the information in it is covered by one of the
exemptions in the Act. 

If you receive this email in error please notify Stockport e-Services
via [EMAIL PROTECTED] and then permanently remove it from
your system. 

Thank you.

http://www.stockport.gov.uk
**

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx



PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments.  NIplc
does not provide investment services to private customers.  Authorised and
regulated by the Fi

RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?)

[Dave Wade]

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava
> Sent: 08 January 2007 12:20
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Likely OT: :) Managing/preventing 
> "rogue" DHCP servers? (or how do you find it?)
> 
> Hi all!
> 
> Just wondering, is there a way to "prevent" a rogue DCHP 
> server from playing havoc with a network?
> 
> I have been digging into "dhcp security" but I haven't really 
> found anything that makes it possible to auth. a DHCP server, 
> so that the clients don't fall for a rogue one.
> 
> >From what I've seen, the approach MS follows is that IF your DHCP 
> >server is
> Windows-based, you have to "auth" it on the Domain. That 
> prevents the AD/infrastructure admins from shooting 
> themselves on the foot by having too many/improperly 
> configured servers.. But that won't stop a rogue VM from 
> being a nuisance...
> 
> I've found this problem in one of our customers sites. They 
> use static IP addressing, but we were setting up a few of 
> their computers with a different sw load and configuration, 
> and they wanted to use DHCP to make config changes more 
> dynamic. When running on an isolated netowork segment, all 
> was fine, but once we moved "into" their network (to do a 
> pilot test) we found a DHCP server serving a range outside 
> their own, and really messing things up.

You could try using DHCP classid. If you set it on your clients when you
build them they will ignore anything with the "wrong" classid. I think
you can also control via group policy.


> What's more, nmap'ing the server, it had a VMWARE-owned MAC 
> and no open ports whatsoever (tcp/udp), at least that I could 
> find. Strange ;)
>

Probably an XP system with the firewall on. A real pain to manage
 
> We managed to overcome the issuse because the software load 
> included an IP filtering component, so we decided to block 
> UDP/67 and UDP/68 traffic from all IP addresses and only 
> allow it for 255.255.255.255 and the IP address of the 
> servers we were going to use... But using a whitelist is a 
> bit of a PITA, so I was wondering if there was some other 
> "cleaner" way to do it..
> 
> Thank a lot in advance
> 
>   Javier J
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> 
> 


**
This email, and any files transmitted with it, is confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this 
email,  or any response to it,  under the Freedom of Information Act 2000, 
unless the information in it is covered by one of the exemptions in the Act. 

If you receive this email in error please notify Stockport e-Services via 
[EMAIL PROTECTED] and then permanently remove it from your system. 

Thank you.

http://www.stockport.gov.uk
**

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?)

[Myrick, Todd \(NIH/CC/DCRI\) [E]]

Best I have seen is to control physical access to your network at layer
1.

Things to include, don't activate ports until the device is provisioned.
You might try a network monitor configured to listen for unauthorized
offers from servers.  The solution you posted below is pretty slick as
well.

It all depends on how secure your client wants their network to be ...
and how useable.

Todd  

-Original Message-
From: Javier Jarava [mailto:[EMAIL PROTECTED] 
Sent: Monday, January 08, 2007 7:20 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP
servers? (or how do you find it?)

Hi all!

Just wondering, is there a way to "prevent" a rogue DCHP server from
playing
havoc with a network?

I have been digging into "dhcp security" but I haven't really found
anything
that makes it possible to auth. a DHCP server, so that the clients don't
fall for a rogue one.

>From what I've seen, the approach MS follows is that IF your DHCP
server is
Windows-based, you have to "auth" it on the Domain. That prevents the
AD/infrastructure admins from shooting themselves on the foot by having
too
many/improperly configured servers.. But that won't stop a rogue VM from
being a nuisance...

I've found this problem in one of our customers sites. They use static
IP
addressing, but we were setting up a few of their computers with a
different
sw load and configuration, and they wanted to use DHCP to make config
changes more dynamic. When running on an isolated netowork segment, all
was
fine, but once we moved "into" their network (to do a pilot test) we
found a
DHCP server serving a range outside their own, and really messing things
up.
What's more, nmap'ing the server, it had a VMWARE-owned MAC and no open
ports whatsoever (tcp/udp), at least that I could find. Strange ;)

We managed to overcome the issuse because the software load included an
IP
filtering component, so we decided to block UDP/67 and UDP/68 traffic
from
all IP addresses and only allow it for 255.255.255.255 and the IP
address of
the servers we were going to use... But using a whitelist is a bit of a
PITA, so I was wondering if there was some other "cleaner" way to do
it..

Thank a lot in advance

Javier J

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] WSUS 3.0 beta 2

[Haritwal, Dhiraj]

Hi,

 

I had installed WSUS 3.0 beta 2. Now I am able to open the mmc console
of WSUS but not able to open web console (http://servername
 ). Also I had configured client settings through
group policies (added wuau.adm). Now I am neither be able to open the
web console (http://servername  ) nor be able to
update a client because last status report is showing not yet reported.
I had installed on default website (80 port). Kindly help me to solve
this problem.

 

Dhiraj Haritwal

 

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chong Ai Chung
Sent: Monday, January 08, 2007 5:44 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] WSUS 3.0 beta 2

 

What's the problem that you face?

On 1/8/07, Haritwal, Dhiraj <[EMAIL PROTECTED]> wrote: 

Hi,

 

Does anyone knowing about WSUS 3.0 beta 2actually I had installed it
& facing some problem. So can anybody help me?

 

 

Dhiraj Haritwal

 

  _  


This email is confidential and intended only for the use of the
individual or entity named above and may contain information that is
privileged. If you are not the intended recipient, you are notified that
any dissemination, distribution or copying of this email is strictly
prohibited. If you have received this email in error, please notify us
immediately by return email or telephone and destroy the original
message. - This mail is sent via Sony Asia Pacific Mail Gateway. 

  _  

 



---
This email is confidential and intended only for the use of the individual or 
entity named above and may contain information that is privileged. If you are 
not the intended recipient, you are notified that any dissemination, 
distribution or copying of this email is strictly prohibited. If you have 
received this email in error, please notify us immediately by return email or 
telephone and destroy the original message. - This mail is sent via Sony Asia 
Pacific Mail Gateway.
---

[ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?)

[Javier Jarava]

Hi all!

Just wondering, is there a way to "prevent" a rogue DCHP server from playing
havoc with a network?

I have been digging into "dhcp security" but I haven't really found anything
that makes it possible to auth. a DHCP server, so that the clients don't
fall for a rogue one.

>From what I've seen, the approach MS follows is that IF your DHCP server is
Windows-based, you have to "auth" it on the Domain. That prevents the
AD/infrastructure admins from shooting themselves on the foot by having too
many/improperly configured servers.. But that won't stop a rogue VM from
being a nuisance...

I've found this problem in one of our customers sites. They use static IP
addressing, but we were setting up a few of their computers with a different
sw load and configuration, and they wanted to use DHCP to make config
changes more dynamic. When running on an isolated netowork segment, all was
fine, but once we moved "into" their network (to do a pilot test) we found a
DHCP server serving a range outside their own, and really messing things up.
What's more, nmap'ing the server, it had a VMWARE-owned MAC and no open
ports whatsoever (tcp/udp), at least that I could find. Strange ;)

We managed to overcome the issuse because the software load included an IP
filtering component, so we decided to block UDP/67 and UDP/68 traffic from
all IP addresses and only allow it for 255.255.255.255 and the IP address of
the servers we were going to use... But using a whitelist is a bit of a
PITA, so I was wondering if there was some other "cleaner" way to do it..

Thank a lot in advance

Javier J

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

Re: [ActiveDir] WSUS 3.0 beta 2

[Chong Ai Chung]

What's the problem that you face?

On 1/8/07, Haritwal, Dhiraj <[EMAIL PROTECTED]> wrote:


 Hi,



Does anyone knowing about WSUS 3.0 beta 2….actually I had installed it &
facing some problem. So can anybody help me?





Dhiraj Haritwal



--

This email is confidential and intended only for the use of the individual
or entity named above and may contain information that is privileged. If you
are not the intended recipient, you are notified that any dissemination,
distribution or copying of this email is strictly prohibited. If you have
received this email in error, please notify us immediately by return email
or telephone and destroy the original message. - This mail is sent via Sony
Asia Pacific Mail Gateway.
--

[ActiveDir] WSUS 3.0 beta 2

[Haritwal, Dhiraj]

Hi,

 

Does anyone knowing about WSUS 3.0 beta 2actually I had installed it
& facing some problem. So can anybody help me?

 

 

Dhiraj Haritwal

 



---
This email is confidential and intended only for the use of the individual or 
entity named above and may contain information that is privileged. If you are 
not the intended recipient, you are notified that any dissemination, 
distribution or copying of this email is strictly prohibited. If you have 
received this email in error, please notify us immediately by return email or 
telephone and destroy the original message. - This mail is sent via Sony Asia 
Pacific Mail Gateway.
---

RE: [ActiveDir] Moving ADC

[dinesh shinde]

Hello Can someone help me on the below issue?
Thanks & Regds.
 
Dinesh


From: "dinesh shinde" <[EMAIL PROTECTED]>Reply-To: ActiveDir@mail.activedir.orgTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Moving ADCDate: Sat, 06 Jan 2007 10:43:55 +0530MIME-Version: 1.0X-Originating-IP: [203.124.232.244]X-Originating-Email: [EMAIL PROTECTED]X-Sender: [EMAIL PROTECTED]Received: from mail.activedir.org ([12.168.66.190]) by bay0-mc10-f15.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444); Fri, 5 Jan 2007 21:16:55 -0800Received: from bay0-omc3-s19.bay0.hotmail.com [65.54.246.219] by mail.activedir.org with ESMTP (SMTPD32-8.15) id A01794F00EE; Sat, 06 Jan 2007 00:13:59 -0500Received: from hotmail.com ([65.54.162.31]) by bay0-omc3-s19.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Fri, 5 Jan 2007 
21:13:59 -0800Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Fri, 5 Jan 2007 21:13:59 -0800Received: from 65.54.162.200 by by108fd.bay108.hotmail.msn.com with HTTP;Sat, 06 Jan 2007 05:13:55 GMT

Hi,
I have mixed mode environment in my setup with 28 Child Domains at remote loactions having Additional DC's and I am planning to move my DC to Additional Domain Controller making it a DC because of new Hardware we have received. We can move the Roles to the new server but the old one also has Active Directory Connector to our Bridgehead server(Exchange5.5).
So what needs to be done to decommission old DC and make the new DC having AD Controller.
Thanks & Regds.
 
Dinesh

Catch all the cricketing action right here. Live score, match reports, photos et al. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx Spice up your IM conversations. New, colorful and animated emoticons. Get chatting! 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx