From the pentest listserve...
"If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- former White House cybersecurity czar Richard Clarke "
Matt Hargraves wrote:
You made a comment in the previous thread that I think is rather
intere
I've always followed a DSI[1] access model, it definately supercedes in
every way what RBS[resource], RBS[role], ABS, CBS, NBC, ABC can provide
...
[1] DSI = Defending Security Infrastructures
-B
On Tue, 1 Aug 2006, Matt Hargraves wrote:
> Without going with an Access-Based Security (ABS) model
> If
it works for a subset of records, why not for
all?
Subsets of records are probably working because you have
different services responsible for the different records which also means
different SPNs used to generate the kerberos tickets for the
services.
> Just
would have been nice
Yeah I know where you are coming from Darren but absolutely
can't say it is ok because I do not believe it is ok at all. I think saying it
is ok or that it is understandable will relax people about it and people
absolutely should not be relaxed about it or feel that they can't do anything
ab
No, this is for the new Wireless policy features that are specific to Vista. R2 does not include them. Server 2003 included the schema extensions for Wireless policy that first appeared in XP, but this is new stuff.
From: "Matt Hargraves" <[EMAIL PROTECTED]>Sent: Monday, July 31,
Hey - even though i mistakenly added you guys & gals to this e-mail, it doesn't take away the invitation.we all need a few days of R&R!
e.g. see below..!
thanks for the sense of humor!On 7/31/06, [EMAIL PROTECTED] <
[EMAIL PROTECTED]> wrote:
Giant Steps on the Palisades - Day Hike and Light Scra
Certainly I know of a couple of customers who could
immediately make use of it in exactly that way right now. The first thing I
would be doing once that feature hit is finding out how much I could strip out
and then find ways to strip out even more because honestly, most of that Cat-1
base s
We'll write this off as a one-off addressing error, shall we?
Tony
PS. Is Saturaday a wet Saturday?
-- Original Message --
From: HBooGz <[EMAIL PROTECTED]>
Reply-To: ActiveDir@mail.activedir.org
Date: Mon, 31 Jul 2006 15:53:02 -0400
Since we're all prett
Thanks Dean. I didnt quite understand your explanation of the tokens for the dhcp client service. If it works for a subset of records, why not for all?Anyways, I tried repro'ing. The 1st time I tried none of your recommendations worked other than ipconfig /registerdns. I deleted the zone on parent
I
think we all know how bad it is to have hoards of DAs. We also know that it is
the reality in many large and small orgs. and we also know that it is sometimes
unavoidable for purely non-technical reasons. The bottom line is that many of
those DAs probably don't know how to undo something t
I thought all that stuff was part of the Server 2003 R2 schema extensions and would work in XP also.On 7/28/06, Darren Mar-Elia <
[EMAIL PROTECTED]> wrote:
In case anyone is
interested, here's a doc that describes the AD schema extensions that will be
required to support the new wireless netw
The way I read that was as follows:
20% means that 20% of your assets are unprotected 1/5 of sensitive
data is not managed like it should be, controlled, audited, protected etc.
20% of laptops with mobile data isn't encrypted.
20% of desktops unpatched
20% of servers unpatched.
Yo
Thanks Dareen and Za.What if DCs already configured to use specific port for RPC/DCOM (http://support.microsoft.com/kb/224196/) ? I think it will can be used by clients as well, right?
Another word, if I follow KB224196, do I need to open more based on the doc you provide (msdn_dcomfirewall.asp)?A
I guess the gist of what everyone is saying can be summed up with the following:What does the current environment look like?How extensive is your Exchange deployment going to be?Without some of that information, it's only going to be a vague guess that anyone can give. I seriously doubt you need t
The Netware partial-replica model immediately jumped to
mind when the RODC-PAS idea was broached. I can see a lot of customers
trying to use this feature to create partial-replicas way beyond concerns of
preventing replication of sensitive data. I suppose one big difference
(making an assu
I'd think of revoking Domain Admins and grant them their rights via an RBS group in AD. Changing the rights of the builtin admin groups isn't something that you should necessarily do, primarily because so many applications out there require special privileges and fail out because the application d
By revoking Domain Admins I mean revoking their membership...On 7/31/06, Matt Hargraves <[EMAIL PROTECTED]> wrote:
I'd think of revoking Domain Admins and grant them their rights via an RBS group in AD. Changing the rights of the builtin admin groups isn't something that you should necessarily do,
Andy-
Yes, its possible. There are actually two steps here. If
you have GPMC, highlight the Group Policy Objects node on your domain and choose
the Delegation tab. From here, you can delegate which groups can create GPOs in
the domain. However, even if you remove Domain Admins from this list,
Does anyone know how I force replication through ASP 2.0?
My DC’s are all local (no WANs) and 2003 SP1.
I have a web page that does account creation and then points
the user to a portal which attempts to authenticate against AD. The portal
software (Peoplesoft) can only attempt a
Hey that sounds like fun!!! Consider me down
for either locations. J
Alex
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of HBooGz
Sent: Monday, July 31, 2006 3:53
PM
To: ActiveDir@mail.activedir.org;
Dre; Michah Castrenbaumawitz; [EMAIL PROTECTED]; mark; Nick
Time for a cyclical answer. IF you figure out a way to prevent a DA from creating GPO, and it works against a certain DA, then that DA does NOT deserve to be a DA. So, just save yourself the research and just remove that DA from the DA group right now.
IF you have a DA whose skills or judgment
Is it
possible to change who can create and/or edit GPOs? Sure. Will what you propose
accomplish what you want it to? Nope. Your Domain Admins can just put themselves
into the GP Creator Owners group, for example. Or in the root domain, they could
put themselves into the Enterprise Admins gr
Understood. I made similar arguments in some places you will come to see in the very near future.
I will beg to differ on the "worth the benefit" claim vis-à-vis the headaches associated with WINS and how less resilient I've found INS to be compared to DNS.
However, my focus is on demystifyi
Wow! You are one very generous list member :)
Can I bring the family along? With the dog and my favorite neighbor?
Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/
Miami or Montreal, quite a range there!
Do you want to speak French or Spanish?
:o)
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
HBooGzSent: Monday, July 31, 2006 3:53 PMTo:
Acti
Hehe. Wrong list for this kind of question. Put on a
helmet.
But... yes you can, for as long as the DAs decide to let it
be that way. They will have no issues switching it right back. You CANNOT
prevent DAs from doing anything they want in the domain or the forest. You can
try like like a
Joe,
isn't the below kind of like yelling, "OMG! Elvis!" in a McDonald's restaurant
in Kalamazoo and following it up with, "nobody ask for his
autograph"?
;-)
Laura
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
joeSent: Monday, July 31, 2006 3:13 PMTo:
Act
Since we're all pretty busy with work , school , raiding corporations (Rich), planning a group vacation this summer is pretty hard.I'd like to hit either Miami or Montreal next weekend for a few days, but I'm not sure who can make it, if anyone at all.
that being said, I'm thinking we all should u
Hi,I have a Group Policy delegation question. By default, only domain administrators, enterprise administrators, Group Policy Creator Owners, and the operating system can create new Group Policy objects. Since our company has lots of domain administrators, I'm thinking revoke domain administrators
One word... disjoint name space.
AD itself doesn't
need WINS unless DNS is broken because it uses FQDNs. It is everything else. If
you have a simple single domain setup, you are probably going to be able to
remove WINS requirements unless you have legacy apps that actually force a
lookup
Title: Message
Hi. _vbscript_ may be used to do
that.
Atila Firmino
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alex
AlborzfardSent: segunda-feira, 31 de julho de 2006
13:18To: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] bulk user creation
I have used a too
This is why I expect most people won't be managing the
policy that closely. I see RODCs going out with a policy to cache all passwords
but admin passwords. You get the benefits and don't deal with additional
management overhead.
Some places will care enough to do the extra work and some
m
Whoa... Nathan too. This list is
hopping...
For those folks who don't know Nathan... Read his signature
carefully and realize the level of people this list is seen by. And don't email
him directly unless you found a world ending issue with Longhorn DCs, he is a
busy guy about right now. :)
> We thought to upgrade the DC's first because it takes care of the
extension
> of the schema and all which has to be done prior to EXCH2K3 anyhow
The upgrade of the DCs does not take care of the schema extension –
you’ll have to prepare your schema as a separate step prior to being a
For Exchange, there has been a lot around Exchange. At no
point though have I heard that they were even going to start consider supporting
Exchange with RODCs. I have hear a lot of absolutely we will not support
Exchange that way. If Exchange were supported, not to be a pain, but I can't
ima
Hey Brian, good to see your name on the
list...
I got pinged offline on the basis behind this
functionality. I admit to being a little shocked that someone was tossing
password type info into other attributes especially with AD being so generally
open to viewing, especially when using the
Try http://www.microsoft.com/downloads/details.aspx?FamilyID=2cc30a64-ea15-4661-8da4-55bbc145c30e&DisplayLang=en
Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/
This is probably going to be a "hit-and-run" reply from me. I just have to jump in because whenever I see a "Need WINS" argument, I feel the urgent need to burst a ventricle or two.
if you don't have a wins server specified and don't have the dns suffix search order, then name resolution won't
You and joe are in the same boat :)
I understand where the logic for the generalization comes from. My experience and instinct tell me to disagree with the both of you and to interpret the generalization in a different manner. I've worked with and met WAY too many programmers to think that I'd
You can start with this http://www.microsoft.com/technet/scriptcenter/scripts/network/client/list/nwlsvb05.mspx?mfr=true and
add in some logic to query AD for DCs and Exchange servers and then run the
scriptcenter code against those particular servers.
From: [EMAIL PROTECTED]
[mailto:[EMAIL
Hi Nate,
Just in case you hadn’t seen this
before, you might want to keep your eye on this KB article.
http://support.microsoft.com/kb/314649
Good luck with your upgrade!
~Ben
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR U
See, that's the limitation that for me would make me wonder whether or not in *my* environments I would want to deploy such an animal or go full bore and deploy a full GC.
The second biggest problem for me would be to accurately guess where a user might be when they logon to the network. They c
Hi,
Setup: Windows 2003 +
exchange 2003.
My AD + Ex setup is
running on different hardware. Now what is the best way to find what types of
Network (and also how many on one
server) cards are installed on my all DCs and Exchange. I need to write a
script or a wmi query.
Thank
We thought about using the confidential
flag as the denotation for the RO-PAS, but that would break too many
applications.
The RO-PAS would only be for applications
that wanted to protect their secrets from replicating to a RODC. DIMS (aka cred
roaming) is a prime example. Most likely
Title: Message
I have used a tool called AD Infinitum for
this. Granted it’s not free, but it pays for itself
With ease of use and features.
Alex
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Sharif Naser
Sent: Monday, July 31, 2006 1:27
AM
To: ActiveDir@m
Hey -from the machines, i can defintely ping the
FQDN.[Neil Ruston] indeed - that should always work unless you have basic
DNS issues If you have hundreds even thousands of
workstations, the easiest way to distribute dns suffix search order listing is
thhrough group policy ?[Neil Ruston] m
Another FYI - Suffix Search List GPO is only available on Windows XP and up OS's.
It was not in Win2000 versions. We had to use scripts/reg keys to man age these back in the day.Jef Kazimer---http://www.jeftek.com
Date: Mon, 31 Jul 2006 10:46:38 -0400From: [EMAIL PROTECTED]To: ActiveDi
Hey -from the machines, i can defintely ping the FQDN.If you have hundreds even thousands of workstations, the easiest way to distribute dns suffix search order listing is thhrough group policy ?if you don't have a wins server specified and don't have the dns suffix search order, then name resoluti
Check your antivirus software to make sure it doesn't
include some sort of pseudo-firewall feature. Also make sure the built-in
firewall isn't enabled.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
HBooGzSent: Monday, July 31, 2006 1:15 AMTo:
ActiveDir@mail.
All,
We are
rounding home base in our upgrade path to 2K3 and have our Exchange Server
Cluster running W2K and EXCH2K and our Domain Controllers to upgrade
lastly. Which of them would you think would be the best to upgrade
first? We thought to upgrade the DC's first because it takes care
just as an FYI:
If you specify suffix search list it will override
the searching of appending the parent suffix of primary DNS suffix.
So if you just specify:
domain2.domain1.com
domain3.domain1.com
and not
domain1.com
it will not search domain1.com since it is not
specified in the S
Just a quick addition - if suffices are defined then
the default (devolution) behaviour is disabled.
i.e.
you can one or the other and not both!
As a
result, you need to carefully pick and choose which suffices are added - if the
host specified is not found using one of the defined suffi
I assume you are using WINS and the DCs of child and parent domains are registered there. Therefore the netbios names are resolving.
What happens when you try to ping the FQDN of the child domain server? Does that work? I think your issue is you want the child domain suffix to be appended automat
Not sure if it makes sense, but this could potentially be combined
with the confidential flag – RODCs wouldn’t cache any confidential attributes,
unless a “Confidential Data Caching Policy” would allow them to do so…
The confidential flag is already used by the Digital Identity
Manage
RODCs do NOT replicate a subset of objects => right now they basically
replicate everything a normal DC has (i.e. the full domain NC, config and schema),
less the password hashes of any users.
The OU vs. group discussion was solely around configuring the so
called “Password Replicatio
You’re right Joe – that the
RODC PAS would complicate things for the developers. The “easy”
solution would be for developers to use the writeable flag when connecting to a
DC, then they’d be guaranteed to not get an RODC…but even that isn’t
a great solution, and if we get the RODC GC it on
Sharif Naser wrote:
Hello All,
I have a round 350 users to be created with their mailboxes in windows
2003, what is the best way to automate the process or delegate this job
to two account operators.
Any suggestions are highly recommended.
There are number of ways to achieve this but You
57 matches
Mail list logo
