Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Least privilege vs Windows server security

from [Bill Stout] Network Security [Permanent Link]
Subject: Re: Least privilege vs Windows server security
Date: Fri, 20 Jul 2007 19:31:34 -0700 (PDT) 
I'm not sure that the firewall buys you much. You have one administrative 
domain which spans a firewall, and one side has more sensitive info. Domain 
resources can be enumerated from the less secure side, and password guessing 
can be done from the less secure side. 

Maybe the firewall blocks direct network access to specific law resources, but 
it does nothing for indirect methods which don't require a direct network path 
(such as through mapped drives or user shell commands sent to accessible 
servers to access blocked server resources). I'm not sure how you're referring 
to 'Least Privilege' in the context of a Microsoft environment. In a Microsoft 
environment even the scheduler can escalate your privileges: open a command 
window and open your task manager - you'll see the process tab show cmd.exe 
running as you (with limited privileges). In your command window type 'at 19:21 
/interactive cmd.exe' (instead of 19:21 add a minute to your current time). 
After the new command window pops up, task manager will show the second command 
window is running with SYSTEM privilege. You can do this on remote computers as 
well. 

Possibly you might want to consider making each side a separate sub-domain 
(isolate user accounts into their own OUs). Also you may want to consider using 
gateway devices instead of a firewall (reverse proxies, OWA, etc). You can 
choose to treat the sites as separate Internet sites, and use SMTP for 
Exchange, and helo instead of ehelo. This would be helpful if one of the groups 
moved to a different building or city. 

I believe I'm agreeing with the other responses but with different verbage. 

Bill Stout 


----- Original Message ---- 
From: Dan Lynch <DLynch@placer.ca.gov> 
To: security-basics@securityfocus.com; firewalls@securityfocus.com 
Sent: Thursday, July 12, 2007 11:47:47 AM 
Subject: Least privilege vs Windows server security 


Greetings list, 

I'm looking for opinions on an issue of contention in our organization. 
Our enterprise is made up of two networks - one for general government 
departments, and another for law enforcement related departments. 

The users, Windows file servers, and MS Exchange servers of both 
networks are members of the same MS Active Directory domain. A file 
server, an Exchange server, and a domain controller sit on each network. 
The LE network requires stronger data security measures as it also 
includes non-member servers that hold highly sensitive data. These are 
the crown jewels, and the LE network is therefore behind a firewall from 
our general government network 

The entire system is in production and running with a few administrative 
and functional limitations. We've tried to follow the principle of least 
privilege when allowing server-to-server communication across the 
firewall. We've attempted to enumerate all services necessary for Active 
Directory replication, and at the firewall accommodate only those 
protocols from the general government servers to the LE servers. This 
has proven difficult, especially when addressing RPC-style services. 
Certain administrative scripts that make WMI calls, resulting in RPC 
communications won't run. 

Also, connections to the LE servers for drive mappings, RDP, and other 
administrative protocols are restricted to specific general government 
network addresses. 

All this amounts to some hardship for Windows server administrators. 
Their position is that all communications between servers should be 
allowed. They argue that if the general government domain controller is 
"owned", no firewall restrictions will prevent an attacker from having 
his way with the LE server. In their view, the principle of least 
privilege is nonsense. Instead, a restriction is only justified if a 
specific benefit can be enumerated. 

I'm not quite sure how to answer them, and would appreciate any input on 
this subject. 

In practice, what specific scenarios justify the restrictions we've 
placed on communications between these servers? 

Philosophically, what logical arguments support the principle of least 
privilege in the environment I've described? 

Thanks for your input, 

Dan Lynch, CISSP 
Information Technology Analyst 
County of Placer 
Auburn, CA
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Least privilege vs Windows server security, Scott Ramsdell
Next by Date:  GB firewall, brahsha
Previous by Thread:  RE: Least privilege vs Windows server security, Scott Ramsdell
Next by Thread:  CFP now open for ClubHack, India's own hackers' convention, RS
Indexes:  [Date] [Thread] [Top] [All Lists]