I've always followed a DSI[1] access model, it definately supercedes in
every way what RBS[resource], RBS[role], ABS, CBS, NBC, ABC can provide
...
[1] DSI = Defending Security Infrastructures
-B
On Tue, 1 Aug 2006, Matt Hargraves wrote:
Without going with an Access-Based Security (ABS)
From the pentest listserve...
If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- former White House cybersecurity czar Richard Clarke
Matt Hargraves wrote:
You made a comment in the previous thread that I think is rather
Isn't DSI being discussed in great detail at Blackhat starting
tomorrow.. or am I mistaken and just thinking about the blog post again?
http://blog.joeware.net/2006/07/11/445/
Brett Shirley wrote:
I've always followed a DSI[1] access model, it definately supercedes in
every way what
We appear to agree that there is no 'need'. The OP used the
word 'need' and I merely continued that line of thought :)
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Deji
AkomolafeSent: 31 July 2006 19:06To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS
Wow, joe and Deji both agreed with me and in the same day
:)
I am at peace :-^
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
joeSent: 31 July 2006 20:24To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS suffix
resolution..
One word... disjoint name
Hi,Windows 2003 R2 Single Domain/ FFL, AD Intergrated DNSI am thinkingaboutconfiguring DNS Scavenging, I was reading the AD Cookbook and it mentions 'Configure Non Refresh and Refresh Intervals as necessary'What does this mean? what do you normally set your environment to?does this
Personally, the defaults work for me.
Here's a good article: http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/cnet/cncf_imp_tahj.mspx?mfr=true
Re reverse zones - enable scavenging per server and per
zone as appropriate.
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL
Ha ha!
So would I be correct in assuming netlogon registers _ldap _gc records and KDC registers _kerberos and _kpasswd records and dhcpclient does the A record etc.. or am I way off?
Cheers
M@
On 8/1/06, joe [EMAIL PROTECTED] wrote:
If it works for a subset of records, why not for all?
netlogon is responsible for all SRV records and the DHCP
client is responsible for the A record.
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matheesha
WeerasingheSent: 01 August 2006 09:53To:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DNS
oddities?
Ha
Thanks Neil. That makes a lot of sense.
Cheers
M@
On 8/1/06, [EMAIL PROTECTED] [EMAIL PROTECTED]
wrote:
netlogon is responsible for all SRV records and the DHCP client is responsible for the A record.
neil
From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Matheesha
Single Windows 2003 domain FFL.I have a 2 DC's which act as WINS/DNS and DHCP. I want to give our Server Support team the ability to view these services from their workstations via an MMC console. For DHCP, the DHCP Users group provides me with an answer for that, does anyone know how I
Check out the 'DNSadmins' group for DNS access and 'WINS
Users' for access to WINS.
Membership of these groups may give too little or too much
access. Can you be more specific about what access these support ppl actually
need?
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
The intermittent result in the repro. isn’t unusual, it seems
likely there’s some kind of race condition occurring under the covers … thus
the unpredictable nature of the test scenarios.
I love this list, if you just wait long enough someone else will
do your work for you :0)
Ben, thanks for the article, I dont think I had seen that
before. Guido, thanks for the info, I will incorporate that into our
testing.
Thank you all!
Nate
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON,
BENSent: Monday, July 31, 2006 12:59 PMTo:
Guys
Does anyone have any good resources on troubleshooting NTLM?. I've emailed technet mag as they posted the recent article by Jesper. I've also asked a couple of MSFT bloggers but havent heard a peep yet.
I would appreciate if you guys can help. Basically I am looking at an issue where NTLM
might
sspi_workbench (from technet) be useful for this?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matheesha
WeerasingheSent: Tuesday, August 01, 2006 9:39 AMTo:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: NTLM
troubleshooting info
Guys
Does anyone have any
Thanks. It probably will help to some extent at least to see what traffic happens between a client and a server.I was hoping for some nice reading material too.
Cheers
M@
On 8/1/06, Kitchens Arthur E [EMAIL PROTECTED] wrote:
might sspi_workbench (from technet) be useful for this?
From:
there is at leastsome documentation on this found at http://davenport.sourceforge.net/ntlm.html.i i'm not sure if it will meet your needs or not. think
there are some others around as well.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matheesha
WeerasingheSent: Tuesday,
Well, at least Darren posted another mail regarding security
by obscurity which this is. Its just like removing the
Domain Admins group from the local administrators group on member servers to
secure the member server
Just because many of those domain admins dont know why they
may be
Richard doesnt seem to be too keen on giving us further
details too bad.
But not sure why you Matt - are talking about breaking
1.25 GB with respects to the 32-bit capabilities. By default 32-bit
Win2003 DCs can cache a DIT up to approx. 1.5GB, which grows to 2.6-2.7GB using
the /3GB
California law AB1950 and SB1386
That's also real world... where I could get sued for civil damages if I
don't do reasonable measures to protect the PII on my network.
One of these days that we don't care ... will be in a deposition
statement in court.
Matt Hargraves wrote:
BTW, I wasn't
On a totally serious note to Joe's tongue in cheek posting Go to a
zoo(1).. and you'll hear stories of how each animal has natural
'protection' from their predators.
Each animal has evolved to ensure they have some level of camouflage in
the way of color/features etc so that when their
Thanks Joe. Interestingly, I agree with what you're saying
here, but not for exactlythe same reason. I happen to think that the
"badness" of having lots of over-privileged admins is not the accidental
stupidity (hmmm...is that an oxymoron?), although we know that happens. This
actually gets
I'd like to create an LDAP query to return a list of users
that have the Send on behalf field populated in the
Exchange General / Delivery Options properties in ADUC.
I cannot seems to make sense of the syntax of the query...
((objectCategory=user)(publicDelegates=user I'm searching for))
Is
I'm not sure what else he's running on his DC. He might be running complex intrusion detection software, DNS, WINS, etcI have to assume that he's got 4GB worth of RAM and plenty of 'crap' (ok, maybe not crap, but you know what I'm saying) running on the DC that I'm sure plenty of us would love
instead of (objectCategory=user) use (objectCategory=person)(objectClass=user)
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
( Tel :
Title: [ActiveDir] LDAP query struggle
Also insure you are putting the full DN of
the user that you are searching for in publicDelegates= since that is a linked
attribute.
Thanks,
-Steve
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de
objectcategory=user isn't optimal, that will get changed to
objectcategory=person which will look at all contacts and users, however
that wouldn't prevent the query from working unless you are timing out. What
tool are you using to submit the query? Does it allow you to specify a
timeout?
Anyway,
Where is the 1.25GB number from andwhat do you mean
the ability of the 32 bit server to handle it? Do you mean cache? How much can
be cached will depend on the OS level and amount of RAM but you can get up to a
2.7GB on a properly configured 32 bit K3 DC.
Certainly in terms of purely
It depends a little on what you're looking for.
Let's say you have a meeting room (MR1) and a user (Bob Smith) has Send on
Behalf of permissions for the meeting room. A search using MR1 would use
publicDelegatesBL (the back link attribute) and would look something like this:
Sorry, I should have put everything together by subject
before responding before.
My experiences range pretty widely with how much the DIT
will grow with the inclusion of Exchange. Again, it depends entirely on what is
already there and what it will end up with for the GAL. One experience
Title: [ActiveDir] LDAP query struggle
Here's what I tried:
((objectCategory=person)(objectClass=user)(publicDelegates=Benjamin*))
I have a mailbox-enabled user named Benjamin
Ortega.
I figured that using Benjamin* would grab the user(s) that
have him set as having Send on behalf
Oh I completely agree with lack of change control. I can't
count the number of times I have asked companies what their change control
process is and they look at me and go huh? What do you mean, we go into
insert tool name and make the change.
Like you have quite a bit of main/mid frame
Title: [ActiveDir] LDAP query struggle
Ok, so you are trying to find what users have Benjamin as a
publicDelegate. That is my B scenerio I listed.
Do this
adfind -gc -b "" -f name="Benjamin Ortega"
publicdelegatesBL
If you want more detailed info about each of the users he
is a delegate
Thanks joe for the very detailed reply!
My whole purpose for creating the query is that I had an employee
here depart about a month ago and I thought I had cleaned up
everything when I finally killed the AD account. What I was not
aware of was that some other employees had this person setup as
a
What do you mean by View these services? The info that they
maintain or the status on the services themselves?
The WINS User Group should definitely work to give access
to records. To make my life easier in aprevious job I just places auth
users into that group for all WINS Machines.
As
:o)
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Tuesday, August 01, 2006 3:35
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
DNS suffix resolution..
I will beg to differ on the
"worth the benefit" claim vis-à-vis the headaches associated
with WINS and how less
resilient I've found INS to be compared to DNS.
Hey
just because it isn't resilent for you doesn't it mean it doesn't work ok for
some of us. :) I wouldn't say the rest of us
Lurk away, glad to help out. Don't be afraid to ask questions, we just all
seem mean. In real life we are all nice teddy bears, well except Deji. Avoid
Deji if you see him coming, he is a bit scary. ;o)
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
Not disagreeing with you Matt were all just in a
guess mode without RM providing more information. I love those posts to lists
where the original poster never gets back the questions being posted to
his questions
Anyways I just made the point that his DIT size is not
small for a
My production patching has been very lucky. I tend to find the bugs in
testing and if I get through my testing ok then I haven't had an issue in
prod that I can recall, at least nothing in the last 6 or so years.
Certainly when I managed an Enterprise (DCs/Wins/And utility servers for
domain
LOL.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: Tuesday, August 01, 2006 2:18 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir]
Some of the new laws are definitely coming into play. I have heard more than
once from Director level Security folks and CIOs that they want whatever is
needed done to make sure they aren't in a position to get sued or even worse
go to jail because some (and I am quoting) some numbskull admin
Interesting thoughts there...
My only tongue in cheek response right off (though this will bubble in my
head for some time) is that most predators are brighter than many people
doing admin work and we still need them to be able to find the systems...
;o)
Raise your hand if in the last year you
Without getting into the politics involved that got us here, suffice it to
say that someone with a lot of political clout, no Windows or Active
Directory experience (though considerable MAC/OS X experience), and a PhD at
the end of their name, made a decision to deploy openLDAP and Active
Just to be honest, it sounds like I made a bad assumption... that AD holds as much information (or more) natively as it does for Exchange. From what Joe is saying, it sounds like Exchange is a huge AD bloat monster.
Not that it's a problem for many environments, just the larger ones.I'd be
This might be something that I can do with a combination of scripts, though I'm not sure where I'd get them from.1) I need to be able to export a list of users (the userID is fine) with their group memberships. (AD objects)
2) I need to be able to export a list of groups with their list of members
msDs-User-Account-Control-Computed is a constructed attribute. Constructed
attributes cannot be set manually because they are automatically maintained by
the system.
Tony
-- Original Message --
From: David Aragon [EMAIL PROTECTED]
Reply-To:
Well, the problem of the postit note is that the people doing it are a bit more circumspect than they used to be. They don't post it with Password: ilikebananas and they don't necessarily put it on their monitor (though it hasn't been that long since I saw that and I always at the very least scold
You can certainly get all the piece parts from
here:
http://rallenhome.com/books/adcookbook/code.html
And you can use joe's wonderful adfind (or dsquery if you
were to insist) to do much of the gruntwork. I show you some examples
here:
Use GPO to prevent users from running the scheduler. Need to do a reg
hack to block local accounts.
http://www.projectstreamer.com/users/r0t0r00t3r/xp_priv_esc/xp_priv_esc.
html
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
That's not even fair I own that book already.I was hoping to avoid doing the scripting part... but that being said, how much of that will work in NT domains to get groups and their members/memberships?
On 8/1/06, Michael B. Smith [EMAIL PROTECTED] wrote:
You can certainly get all the
This is silly. At least on XP, a normal, non-admin user cannot add AT jobs.
So, yes, this would work if the user is local admin., but big deal. At that
point, who cares? Is the point here that I can elevate from Administrator to
LocalSystem? I'm not really sure that's a revelation...
Interesting exploit. Although I think this might not be new. I fired up a
somewhat old Windows XP VM I had to test it, and despite the fact that standard
users had permissions to readexecute AT.EXE, they were still denied access.
Same deal on my company workstation which is absolutely up to
On Tue, 1 Aug 2006 18:29:24 +0100, Grillenmeier, Guido
[EMAIL PROTECTED] said:
Richard doesn't seem to be too keen on giving us further details - too
bad.
Sorry, been busy... 400 unread msgs from this list, got some catching up
to do.
What does the current environment look like?
How extensive
Title: [ActiveDir] OT: XP exploit
Yeah, I jumped too soon; I tested it when I got home, and
verified that it doesn't work with user or power user privs. Sorry for the
noise.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON,
BENSent: Tuesday, August 01, 2006 9:50
56 matches
Mail list logo