RE: Least privilege vs Windows server security

["Scott Ramsdell" <Scott.Ramsdell () cellnet com>]

Dan,

In troubleshooting why the WMI scripts fail, have you found in the Event Viewer than no domain controller was available?

If so, I would wonder if the two IP networks are defined within Active Directory Sites and Services.  Each DC would 
then be configured as the bridgehead for communications within each site.  Each DC would also be configured to be the 
global catalog for the site it resides in.

This would allow the servers to authenticate the service account running the WMI script against their local (based on 
Site) DC.

DC to DC replication would then also be defined within AD Sites and Services.  It sounds like you've already enumerated 
the necessary ports to open on the firewall for replication.

If you want to restrict the LE network further, create a new domain for it.  Then enable a trust with the general 
domain and assign explicit rights to the groups from the general domain to resources in the LE domain utilizing 
Universal groups.

"All communications between servers should be allowed" is something I encountered often in administration.  That 
contention demonstrates a complete lack of understanding, and is made simply to justify making things easy for the 
admins.

Kind Regards,
 
Scott Ramsdell
CISSP, CCNA, MCSE
Security Network Engineer


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Dan Lynch
Sent: Thursday, July 12, 2007 1:48 PM
To: security-basics () securityfocus com; firewalls () securityfocus com
Subject: Least privilege vs Windows server security

Greetings list,

I'm looking for opinions on an issue of contention in our organization.
Our enterprise is made up of two networks - one for general government
departments, and another for law enforcement related departments. 

The users, Windows file servers, and MS Exchange servers of both
networks are members of the same MS Active Directory domain. A file
server, an Exchange server, and a domain controller sit on each network.
The LE network requires stronger data security measures as it also
includes non-member servers that hold highly sensitive data. These are
the crown jewels, and the LE network is therefore behind a firewall from
our general government network

The entire system is in production and running with a few administrative
and functional limitations. We've tried to follow the principle of least
privilege when allowing server-to-server communication across the
firewall. We've attempted to enumerate all services necessary for Active
Directory replication, and at the firewall accommodate only those
protocols from the general government servers to the LE servers. This
has proven difficult, especially when addressing RPC-style services.
Certain administrative scripts that make WMI calls, resulting in RPC
communications won't run.

Also, connections to the LE servers for drive mappings, RDP, and other
administrative protocols are restricted to specific general government
network addresses. 

All this amounts to some hardship for Windows server administrators.
Their position is that all communications between servers should be
allowed. They argue that if the general government domain controller is
"owned", no firewall restrictions will prevent an attacker from having
his way with the LE server. In their view, the principle of least
privilege is nonsense. Instead, a restriction is only justified if a
specific benefit can be enumerated.

I'm not quite sure how to answer them, and would appreciate any input on
this subject.

In practice, what specific scenarios justify the restrictions we've
placed on communications between these servers?

Philosophically, what logical arguments support the principle of least
privilege in the environment I've described?

Thanks for your input,

Dan Lynch, CISSP
Information Technology Analyst
County of Placer
Auburn, CA