Security Basics mailing list archives
RE: Least privilege vs Windows server security
From: "Scott Ramsdell" <Scott.Ramsdell () cellnet com>
Date: Fri, 13 Jul 2007 16:00:39 -0400
Dan, In troubleshooting why the WMI scripts fail, have you found in the Event Viewer than no domain controller was available? If so, I would wonder if the two IP networks are defined within Active Directory Sites and Services. Each DC would then be configured as the bridgehead for communications within each site. Each DC would also be configured to be the global catalog for the site it resides in. This would allow the servers to authenticate the service account running the WMI script against their local (based on Site) DC. DC to DC replication would then also be defined within AD Sites and Services. It sounds like you've already enumerated the necessary ports to open on the firewall for replication. If you want to restrict the LE network further, create a new domain for it. Then enable a trust with the general domain and assign explicit rights to the groups from the general domain to resources in the LE domain utilizing Universal groups. "All communications between servers should be allowed" is something I encountered often in administration. That contention demonstrates a complete lack of understanding, and is made simply to justify making things easy for the admins. Kind Regards, Scott Ramsdell CISSP, CCNA, MCSE Security Network Engineer -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Dan Lynch Sent: Thursday, July 12, 2007 1:48 PM To: security-basics () securityfocus com; firewalls () securityfocus com Subject: Least privilege vs Windows server security Greetings list, I'm looking for opinions on an issue of contention in our organization. Our enterprise is made up of two networks - one for general government departments, and another for law enforcement related departments. The users, Windows file servers, and MS Exchange servers of both networks are members of the same MS Active Directory domain. A file server, an Exchange server, and a domain controller sit on each network. The LE network requires stronger data security measures as it also includes non-member servers that hold highly sensitive data. These are the crown jewels, and the LE network is therefore behind a firewall from our general government network The entire system is in production and running with a few administrative and functional limitations. We've tried to follow the principle of least privilege when allowing server-to-server communication across the firewall. We've attempted to enumerate all services necessary for Active Directory replication, and at the firewall accommodate only those protocols from the general government servers to the LE servers. This has proven difficult, especially when addressing RPC-style services. Certain administrative scripts that make WMI calls, resulting in RPC communications won't run. Also, connections to the LE servers for drive mappings, RDP, and other administrative protocols are restricted to specific general government network addresses. All this amounts to some hardship for Windows server administrators. Their position is that all communications between servers should be allowed. They argue that if the general government domain controller is "owned", no firewall restrictions will prevent an attacker from having his way with the LE server. In their view, the principle of least privilege is nonsense. Instead, a restriction is only justified if a specific benefit can be enumerated. I'm not quite sure how to answer them, and would appreciate any input on this subject. In practice, what specific scenarios justify the restrictions we've placed on communications between these servers? Philosophically, what logical arguments support the principle of least privilege in the environment I've described? Thanks for your input, Dan Lynch, CISSP Information Technology Analyst County of Placer Auburn, CA
Current thread:
- Least privilege vs Windows server security Dan Lynch (Jul 13)
- RE: Least privilege vs Windows server security Ackley, Alex (Jul 13)
- RE: Least privilege vs Windows server security Scott Ramsdell (Jul 16)
- <Possible follow-ups>
- Re: Least privilege vs Windows server security rmbarnesusa (Jul 13)
- RE: Least privilege vs Windows server security dave kleiman (Jul 17)
- Re: Least privilege vs Windows server security Bill Stout (Jul 23)