Title:
Happy New Year to you as well!
In order to make a good decision for yourself whether or not you can
and need to protect yourself against clever DomaAdmins, Service Admins and/or
people with physical access to your DC's some extra info:
Ways to bypass standard security:
-
Did you write the custom filter? If so, have it dump what
it is doing to debug and watch it. I would be a little shocked if trust
passwords were being sent through the PasswordFilter function.
Heh, me guessing wasn't good enough, I just tested it on K3
OEM with one of my own custom filter
FindExpAcc is now posted...
http://www.joeware.net/win/free/tools/findexpacc.htm
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, January 06, 2005 1:36 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] expiring acc
Unless something has changed in the Password Filter implementation lately, I believe that Computer password changes do not hit the PasswordFilter. At least, that routine did not get called when using the passfilt I got from MS a long time ago. I haven't used this lately and the behavior may have
I am facing an issue after
installing a custom password filter DLL. Password filter DLL is working fine for
user password change. But when I
try to create a trust between NT and Windows 2003, it is not accepting any
password combinations. I disable
the custom password filter DLL, and the
Hear, hear!
-gil
From: [EMAIL PROTECTED] on behalf of Deji Akomolafe
Sent: Thu 1/6/2005 8:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Forest trusts vs trusts within forests
>>> by using selective authentication (SA).
Which, in order words
>>> by using selective authentication (SA).
Which, in order words, means that SEPARATE FOREST does not in itself protect you from an internal "clever domain admin" in any of the domains/forest. Unless you go through the troubles SID filtering, SA, and other ACLing. And, even with all that in p
FWIW, White papers of relevance if you haven't seen them already.
The first one will probably answer your questions. What's the
underlying motivation for two forests?? Reading between the lines, it
sounds like the trust issue may not be the real issue compared to some
other service autonomy or d
If both domains are single domain forests then a Forest trust isn't as
big a deal since it's major selling point is that the trust is
transitive. I suppose that you also would be able to use Kerberos for
cross forest authentication, which is a nice feature that I don't
believe is available in exter
Hi David,
In addition to SID filtering, you can protect a trust between domains in two
forests (either a forest trust or an external trust) by using selective
authentication (SA). SA is sometimes called authentication firewall, and the
idea is that only listed users can access only listed serve
Separate forests should be well protected from each other, with the
possible exception of the SID History exploit, which is prevented by
enabling SID filtering, which I think is on by default now.
-gil
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Fugl
In real life, you would also want to make use of SID filtering.
http://www.microsoft.com/windows2000/techinfo/administration/security/si
dfilter.asp
While multiple forests will give you security advantages, it will also
cause additional administrative overhead.
-Original Message-
From: [E
Happy New Year !
I'm having a design discussion with myself about adding a forest vs
adding a domain to an existing forest. I understand about the automatic
transitive trust between domains in a forest, and how it's possible for
a clever domain admin in a subdomain to compromise the entire forest.
I'm attempting to set up a GPO to restrict which browser plugins can run
in IE. This new GPO is part of XP SP2 is found in: User Config/Windows
Components/Internet Explorer/Security Features/Add-on Management
The things I'm trying to stop is the addition of spyware toolbars and
other junk that ge
Err I have been meaning to make a tool available like this for some time...
Even though I am on hiatus from writing joeware free tools at the moment I
decided to do this as it is all based on previously created code and only a
couple of hours of work.
I will try to release the tool on the website
I can tell what DC authenticated my AD client by looking at the value of
the environment variable LOGONSERVER. But there isn't an environment
variable for which GC was involved. Since we have several sites that
have more than one GC, I'd like to be able to tell which GC was used.
Does anyone know h
Hi Justin,
Planning DFS and FRS Security is a good starting point!
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deploy
guide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/de
ployguide/en-us/sdccc_fsv_ogmn.asp
Cheers!
John Reijnders
-Original Me
Can someone send me some information about how to configure a DFS across
multiple domains within the same forest, more specifically how to take
care of security on the files and folders when setting this up? I will
be looking up the info myself as well, but wanted to get a head start by
asking the
I used reg.exe in a remote script run from a server to change the dns
AND WINS server info it worked better plus I had info for future
reference You will have to do a subnet scan to get a list to feed this
script.
SEE ATTACHED SCRIPT I HOPE IT HELPS.CHANGE .TXT TO VBS
-Original Mess
Does that mean that you get the same results even if you use the index?
I can't speak for the 'softies but if you want to report it as a bug, you
either open a case direct off the support pages, else you go through your
support rep. An organization your size/stature, likely has a TAM of some
so
Hi Al
Any idea how to report it as a bug? I was kind of hoping Microsoft guys
would be monitoring this discussion group and one of them would look into
it / address it internally.
Regards;
James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
(202
21 matches
Mail list logo