Monthly Archives: May 2014

When is a user definitely deleted/disabled?

I read some news a while ago which inspired me to write this post.

http://www.darkreading.com/deactivated-user-accounts-die-hard/d/d-id/1251034
http://www.securityweek.com/windows-authentication-protocol-allows-deactivated-user-accounts-live-report

It’s about a flaw in Kerberos and how Windows handles user account revocation. The flaw makes is possible for a user to have access to systems up to 10 hours after the account has been, disabled, deleted or locked out.

This is no direct news, and I believe that the 10 hours could be much greater if you look outside Kerberos and take the replication convergence in consideration.

When a user is deleted, disabled or locked out this has to be replicated to all replicas in the domain, meaning all the DCs needs to be updated with this information. Continue reading

Loopback processing recommendations

A great 2 part blog series about Loopback processing of group policys.

http://blogs.technet.com/b/askds/archive/2013/02/08/circle-back-to-loopback.aspx
http://blogs.technet.com/b/askds/archive/2013/05/21/back-to-the-loopback-troubleshooting-group-policy-loopback-processing-part-2.aspx

For a quick summarize of a few recommendations that is no official best practices (but they maybe should be).

  1. Don’t use loopback  🙂
  2. Use a separate GPO for the loopback setting; ONLY include the loopback setting in this GPO, and do not include the user settings.  Name it Loopback-Merge or Loopback-Replace depending on the mode.
  3. Avoid custom security filtering if you can help it.
  4. Don’t enable loopback in a GPO linked at the domain level!
  5. Always test in a representative environment prior to deploying loopback in production.

Even dough this is a year old post I wanted to help spread the word because there is still some crazy GPO configurations out there, and why not try to keep it simple 🙂

 

Why do you need Domain Admin?

I was thinking of starting a new category in my blog called “You don’t need Domain Admin”.

I will use this to gather info about delegation from Active Directory out to the client in different cases and needs.

I personally think delegation of roles and responsibility is an important part of securing the infrastructure. If everybody had access to everything or has the ability to gain access to everything on himself, well then the security is gone.

I will start with something that I see almost everywhere and it can never be justified when you start talking about it. One of the first thing I look at when I’m in a new AD environment is the high-privileged group memberships. There is always so many users and service account members I always fall of the chair, and when I get up and ask about it I always get the same answers. Continue reading

Admin privileges

A short notice about Administrator accounts privileges.

I guess you have noted that as an administrator (local or domain) you always has the possibility to take ownership of files, folders and objects in AD. Even if you don’t have any ACEs specified on that folder you always has the privilege to take ownership and change the ACLs.

Here’s the magic, the privilege. All users in a Windows network has the privilege to do something. E.g. logon to a computer, shut down a computer, change the system time. Privileges differ from access rights in two ways. Continue reading