Re: W2K Schema Master in the DMZ?

[Mikael Olsson <mikael.olsson () clavister com>]

Mikael Olsson wrote:
> Since a successful attack against a controller further down in the
> tree can invalidate all authentication and authorization mechanisms
> in the whole tree [...]

I suppose I ought to head off "YOU CAN'T POSSIBLY BE RIGHT" responses.

Before telling me how utterly wrong I am, read this page:
http://www.aelita.com/solutions/ADSecurity/SIDH_implications.htm
It does a good job of explaining the "SID History" vulnerability
(which is now fixed) and also the non-fixable vulnerabilities 
made public right around the same time.

Make special note of this quote toward the end:
"Thus, a domain can no longer be considered a security boundary. 
 An Active Directory forest is a real security boundary for safe 
 data and services administration. 
 One has to trust all domain administrators in a forest."
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

 (and, obviously, the physical security of all servers and
  workstations that said domain admins log on to, since they
  all cache their passwords locally. ... or how else do you think
  the workstations verify passwords when doing cached logons
  when they can't find the domain controller? :))


Ohwell, enough butt-covering. We now return you to the regular
mailing list programming of flames, slander, off-topic postings, 
unfounded speculation, product propaganda and noise in general. :)

-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards