Security Basics mailing list archives
Re: Least privilege vs Windows server security
From: Bill Stout <billbrietstout () yahoo com>
Date: Fri, 20 Jul 2007 19:31:34 -0700 (PDT)
I'm not sure that the firewall buys you much. You have one administrative domain which spans a firewall, and one side has more sensitive info. Domain resources can be enumerated from the less secure side, and password guessing can be done from the less secure side. Maybe the firewall blocks direct network access to specific law resources, but it does nothing for indirect methods which don't require a direct network path (such as through mapped drives or user shell commands sent to accessible servers to access blocked server resources). I'm not sure how you're referring to 'Least Privilege' in the context of a Microsoft environment. In a Microsoft environment even the scheduler can escalate your privileges: open a command window and open your task manager - you'll see the process tab show cmd.exe running as you (with limited privileges). In your command window type 'at 19:21 /interactive cmd.exe' (instead of 19:21 add a minute to your current time). After the new command window pops up, task manager will show the second command window is running with SYSTEM privilege. You can do this on remote computers as well. Possibly you might want to consider making each side a separate sub-domain (isolate user accounts into their own OUs). Also you may want to consider using gateway devices instead of a firewall (reverse proxies, OWA, etc). You can choose to treat the sites as separate Internet sites, and use SMTP for Exchange, and helo instead of ehelo. This would be helpful if one of the groups moved to a different building or city. I believe I'm agreeing with the other responses but with different verbage. Bill Stout ----- Original Message ---- From: Dan Lynch <DLynch () placer ca gov> To: security-basics () securityfocus com; firewalls () securityfocus com Sent: Thursday, July 12, 2007 11:47:47 AM Subject: Least privilege vs Windows server security Greetings list, I'm looking for opinions on an issue of contention in our organization. Our enterprise is made up of two networks - one for general government departments, and another for law enforcement related departments. The users, Windows file servers, and MS Exchange servers of both networks are members of the same MS Active Directory domain. A file server, an Exchange server, and a domain controller sit on each network. The LE network requires stronger data security measures as it also includes non-member servers that hold highly sensitive data. These are the crown jewels, and the LE network is therefore behind a firewall from our general government network The entire system is in production and running with a few administrative and functional limitations. We've tried to follow the principle of least privilege when allowing server-to-server communication across the firewall. We've attempted to enumerate all services necessary for Active Directory replication, and at the firewall accommodate only those protocols from the general government servers to the LE servers. This has proven difficult, especially when addressing RPC-style services. Certain administrative scripts that make WMI calls, resulting in RPC communications won't run. Also, connections to the LE servers for drive mappings, RDP, and other administrative protocols are restricted to specific general government network addresses. All this amounts to some hardship for Windows server administrators. Their position is that all communications between servers should be allowed. They argue that if the general government domain controller is "owned", no firewall restrictions will prevent an attacker from having his way with the LE server. In their view, the principle of least privilege is nonsense. Instead, a restriction is only justified if a specific benefit can be enumerated. I'm not quite sure how to answer them, and would appreciate any input on this subject. In practice, what specific scenarios justify the restrictions we've placed on communications between these servers? Philosophically, what logical arguments support the principle of least privilege in the environment I've described? Thanks for your input, Dan Lynch, CISSP Information Technology Analyst County of Placer Auburn, CA
Current thread:
- Least privilege vs Windows server security Dan Lynch (Jul 13)
- RE: Least privilege vs Windows server security Ackley, Alex (Jul 13)
- RE: Least privilege vs Windows server security Scott Ramsdell (Jul 16)
- <Possible follow-ups>
- Re: Least privilege vs Windows server security rmbarnesusa (Jul 13)
- RE: Least privilege vs Windows server security dave kleiman (Jul 17)
- Re: Least privilege vs Windows server security Bill Stout (Jul 23)