As Cary mentioned, I don't tell people how to hack AD, not customers nor
coworkers nor even other MVPs even if people ask me really nice. I let people
work it out that think about it. If you understand how everything is put
together it really isn't all that difficult, it is just a series of escalations
until you are sitting there with Enterprise Admins rights. Luckily, most folks
aren't willing to figure that out, especially script kids. If some worms/viruses
decided to target AD a lot of companies would be in some serious trouble because
people for the most part don't really understand what they are working with and
allow too many people to have too many rights and do admin work in very stupid
ways. Anyone reading this that logs into their workstations with their domain
admin IDs to do their work, yes I am talking to you. Safest way to work is to
always use a normal userid for as much troubleshooting as possible, when you
need to actually change something you use runas to get an admin context command
prompt and do the work. You avoid logging directly into DCs as well either at
the console or through TS, I would say 98% of the admin work anyone has to do in
AD doesn't need local interactive sessions.
The main key that acc ops have is that by default they have interactive access
to the DC which puts them past a majority of the security barriers put into
place. Windows is designed more to keep people outside of the house not so much
to keep those inside the house from getting into the bathroom or top left
dresser drawer where your wife keeps her unmentionables. When I run AD domains,
haven't for a while as I am a consultant now, there are only about 3 native
Admins in the entire forest and no one else has access rights to the DCs. The
last company I did this for had 400 DCs and about 250,000 users. We had 3 admins
across the entire forest and one manager with an admin ID. That is the smoothest
running forest I have ever seen in any company anywhere. Recently I went to
lunch with my old team and we all sat and chatted for about 3.5 hours, their
pagers never went off. They told me that they have very very few issues, all
tickets coming in were primarily implementation of new stuff or deprovisioning
of old stuff. They have one huge possible security hole in terms of WAN based
DCs which are a serious target if someone really wanted to attack but they are
quite aware of DC outages and monitor keys items very closely that would
indicate a possible hack attempt. Plus those guys are some of the most
knowledgeable folks I know in Ops for AD having worked with me for 3 or so
years. It would take a decent hacker to get past them. I actually wouldn't mind
trying to see if I could get by them, I think they could probably catch me, but
I am not sure if they could do it before I did irreparable damage. ;o)
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Post by MattThanks for all the reponses. I will have a look at delegation when I get a
chance. Yes our helpdesk users were account operators from our NT days and
it seemed convenient. We have about five OUs at the top level and I was
hoping to avoid having to delegate permissions on each OU (tree) and the
subsequent job of managing and troubleshooting delegation.
I was interested in the comment "if the acc ops are bright enough, they can
give themselves Domain and Enterprise Admin rights anyway. That is why you
want to use delegated accounts for AD data admins." How can they do this?
They do not appear to have access to their own accounts or anything above.
Obviously I do not want them to be able to do this (although I think that I
am safe with our helpdesk) so am interested in how they can do it.
Thanks.