Firewall Wizards mailing list archives
Re: W2K Schema Master in the DMZ?
From: Mikael Olsson <mikael.olsson () clavister com>
Date: Sun, 23 Jun 2002 14:15:25 +0200
Mikael Olsson wrote:
Since a successful attack against a controller further down in the tree can invalidate all authentication and authorization mechanisms in the whole tree [...]
I suppose I ought to head off "YOU CAN'T POSSIBLY BE RIGHT" responses. Before telling me how utterly wrong I am, read this page: http://www.aelita.com/solutions/ADSecurity/SIDH_implications.htm It does a good job of explaining the "SID History" vulnerability (which is now fixed) and also the non-fixable vulnerabilities made public right around the same time. Make special note of this quote toward the end: "Thus, a domain can no longer be considered a security boundary. An Active Directory forest is a real security boundary for safe data and services administration. One has to trust all domain administrators in a forest." ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ (and, obviously, the physical security of all servers and workstations that said domain admins log on to, since they all cache their passwords locally. ... or how else do you think the workstations verify passwords when doing cached logons when they can't find the domain controller? :)) Ohwell, enough butt-covering. We now return you to the regular mailing list programming of flames, slander, off-topic postings, unfounded speculation, product propaganda and noise in general. :) -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- W2K Schema Master in the DMZ? david singleton (Jun 22)
- Re: W2K Schema Master in the DMZ? Mikael Olsson (Jun 24)
- Re: W2K Schema Master in the DMZ? Mikael Olsson (Jun 24)
- <Possible follow-ups>
- Re: W2K Schema Master in the DMZ? Mikael Olsson (Jun 25)
- Re: W2K Schema Master in the DMZ? Mikael Olsson (Jun 24)