Security Basics mailing list archives
RE: Least privilege vs Windows server security
From: "Ackley, Alex" <aackley () epmgpc com>
Date: Fri, 13 Jul 2007 12:08:06 -0400
Assuming you've applied basic security measures on the Government side of the network; then you're doing exactly as you should. The idea is nothing is going to stop anything if a DC is "owned." But this is only if someone acquires enterprise admin access to the DC. If the network is compromised, with anything less than admin privs, then your precautions in segmenting the network come into play and prevent further data breaches. On top of that; the majority of data theft and breaches happen from within the organization by limiting the exchange of information between the two networks you're reducing the attack surface that an insider would have access to. Also, by segmenting and limiting through the firewall you're hopefully generating logs which can be further analyzed for lots of things. Such as seeing if unauthorized attempts are being made to get to the LE side; in the event of a breach it should also be logging who is gaining or attempting to gain access making it easier to track down the problem. I'm sure others will come up with even more reasons but it basically comes down the fact that you're doing the correct thing. Least privilege is almost always the right thing. Alex Ackley, CISSP, GSEC Security Administrator EPMG, PC -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Dan Lynch Sent: Thursday, July 12, 2007 2:48 PM To: security-basics () securityfocus com; firewalls () securityfocus com Subject: Least privilege vs Windows server security Greetings list, I'm looking for opinions on an issue of contention in our organization. Our enterprise is made up of two networks - one for general government departments, and another for law enforcement related departments. The users, Windows file servers, and MS Exchange servers of both networks are members of the same MS Active Directory domain. A file server, an Exchange server, and a domain controller sit on each network. The LE network requires stronger data security measures as it also includes non-member servers that hold highly sensitive data. These are the crown jewels, and the LE network is therefore behind a firewall from our general government network The entire system is in production and running with a few administrative and functional limitations. We've tried to follow the principle of least privilege when allowing server-to-server communication across the firewall. We've attempted to enumerate all services necessary for Active Directory replication, and at the firewall accommodate only those protocols from the general government servers to the LE servers. This has proven difficult, especially when addressing RPC-style services. Certain administrative scripts that make WMI calls, resulting in RPC communications won't run. Also, connections to the LE servers for drive mappings, RDP, and other administrative protocols are restricted to specific general government network addresses. All this amounts to some hardship for Windows server administrators. Their position is that all communications between servers should be allowed. They argue that if the general government domain controller is "owned", no firewall restrictions will prevent an attacker from having his way with the LE server. In their view, the principle of least privilege is nonsense. Instead, a restriction is only justified if a specific benefit can be enumerated. I'm not quite sure how to answer them, and would appreciate any input on this subject. In practice, what specific scenarios justify the restrictions we've placed on communications between these servers? Philosophically, what logical arguments support the principle of least privilege in the environment I've described? Thanks for your input, Dan Lynch, CISSP Information Technology Analyst County of Placer Auburn, CA
Current thread:
- Least privilege vs Windows server security Dan Lynch (Jul 13)
- RE: Least privilege vs Windows server security Ackley, Alex (Jul 13)
- RE: Least privilege vs Windows server security Scott Ramsdell (Jul 16)
- <Possible follow-ups>
- Re: Least privilege vs Windows server security rmbarnesusa (Jul 13)
- RE: Least privilege vs Windows server security dave kleiman (Jul 17)
- Re: Least privilege vs Windows server security Bill Stout (Jul 23)