RE: Least privilege vs Windows server security

["Ackley, Alex" <aackley () epmgpc com>]

Assuming you've applied basic security measures on the Government side
of the network; then you're doing exactly as you should.

The idea is nothing is going to stop anything if a DC is "owned."  But
this is only if someone acquires enterprise admin access to the DC.  

If the network is compromised, with anything less than admin privs, then
your precautions in segmenting the network come into play and prevent
further data breaches.

On top of that; the majority of data theft and breaches happen from
within the organization by limiting the exchange of information between
the two networks you're reducing the attack surface that an insider
would have access to.

Also, by segmenting and limiting through the firewall you're hopefully
generating logs which can be further analyzed for lots of things.  Such
as seeing if unauthorized attempts are being made to get to the LE side;
in the event of a breach it should also be logging who is gaining or
attempting to gain access making it easier to track down the problem.

I'm sure others will come up with even more reasons but it basically
comes down the fact that you're doing the correct thing.  Least
privilege is almost always the right thing.

Alex Ackley, CISSP, GSEC
Security Administrator
EPMG, PC

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Dan Lynch
Sent: Thursday, July 12, 2007 2:48 PM
To: security-basics () securityfocus com; firewalls () securityfocus com
Subject: Least privilege vs Windows server security

Greetings list,

I'm looking for opinions on an issue of contention in our organization.
Our enterprise is made up of two networks - one for general government
departments, and another for law enforcement related departments. 

The users, Windows file servers, and MS Exchange servers of both
networks are members of the same MS Active Directory domain. A file
server, an Exchange server, and a domain controller sit on each network.
The LE network requires stronger data security measures as it also
includes non-member servers that hold highly sensitive data. These are
the crown jewels, and the LE network is therefore behind a firewall from
our general government network

The entire system is in production and running with a few administrative
and functional limitations. We've tried to follow the principle of least
privilege when allowing server-to-server communication across the
firewall. We've attempted to enumerate all services necessary for Active
Directory replication, and at the firewall accommodate only those
protocols from the general government servers to the LE servers. This
has proven difficult, especially when addressing RPC-style services.
Certain administrative scripts that make WMI calls, resulting in RPC
communications won't run.

Also, connections to the LE servers for drive mappings, RDP, and other
administrative protocols are restricted to specific general government
network addresses. 

All this amounts to some hardship for Windows server administrators.
Their position is that all communications between servers should be
allowed. They argue that if the general government domain controller is
"owned", no firewall restrictions will prevent an attacker from having
his way with the LE server. In their view, the principle of least
privilege is nonsense. Instead, a restriction is only justified if a
specific benefit can be enumerated.

I'm not quite sure how to answer them, and would appreciate any input on
this subject.

In practice, what specific scenarios justify the restrictions we've
placed on communications between these servers?

Philosophically, what logical arguments support the principle of least
privilege in the environment I've described?

Thanks for your input,

Dan Lynch, CISSP
Information Technology Analyst
County of Placer
Auburn, CA