There is a company called ScriptLogic which makes various tools including various AD Management and Security tools. I have never really looked into them as they have nothing that calls to me that I couldn’t just put together myself or already have put together for myself.
In a recent set of newsgroup posts though a couple of their support analysts called out for attention. Someone was asking the question in the newsgroups… “Hey I want to give out Admin rights on a DC but I don’t want the folks with those rights to have rights in AD, how do I do this?”
The answer, of course, is you can’t. If someone has admin rights on a DC, they can do whatever they want in AD. Without getting into details[1] that is just the way it works, that is the way it will work for some time. It isn’t rocket science to do it, it is quite basic and getting from there to Enterprise Admins even across domains isn’t that much higher of a step. If there was a way to lock down Microsoft would have 3 KB articles and a whitepaper or two describing how to do it, it is asked about enough to justify that kind of work… However there isn’t any documentation because you can’t enforce that lockdown. They know it, we know it. The DS team is busting their balls working on a solution to try and help… The next version of Windows Server currently code named Longhorn server has some added features to help with this exact scenario though it still won’t solve the problem for all cases. It allows you to make a specific DC a read only DC and then delegate administrative rights on that DC to someone not trustworthy enough to be a “real” admin. This doesn’t mean they can’t hurt anything, it simply means anything they hurt *should* be limited basically to that site which is better than hurting the entire forest. Still not something I like a whole lot but it is a huge step up from what we have now.
In every version of Windows Server up to Window Server 2003 (yes R2 too), if you have admin rights on a DC, you have control of the directory. You cannot lock the system down to prevent this. This is very well known at this point and should be a core level item in everyone’s security thoughts/designs for Domain Controllers. Failure to come to terms with this fact and to deal with it can result in severe exposure of your domain and forest.
Well enter Michael P. Perrault MCSE, CCNA, A+, MBA and Senior Systems Engineer for ScriptLogic Corporation saying just the opposite… That of course you can lock AD down to protect it from this kind of access. Thinking Michael is just a little confused I correct what he wrote and he doubled down and further said he tested it in a VM… Of course I am sure what he did protected the system from him, but it doesn’t mean the system is safe from folks who understand AD/DC Security. Some others jumped in and tried to point out the error of the ways as well but Michael is adamant at being publicly incorrect. I am not sure whether I am more concerned that it is a case that he refuses to say he doesn’t know or is wrong or that he absolutely believes he knows what he is talking about. Either way, it isn’t good to see in people delivering and supporting administrative tools, especially when some apply to security. How can you properly produce/support security tools if you don’t understand the basic core concepts of the products you are producing tools for. I held out hope that maybe this was just one guy in the company who felt this way and maybe it was just luck of the draw, the one person watching and responding to newsgroup posts was not as informed as he should be. Well another ScriptLogic employee, a Matt Farr (title and certs not declared) jumped in trying to say the same thing… that as long as the user wasn’t a domain admin everything could be locked down…
No no no no no no no no no. If anyone who works for ScriptLogic reads this blog, PLEASE help these poor support folks along with understanding how AD Security works. Best also to keep them out of the newsgroups as I for one certainly can’t say I would be quick to jump into using ScriptLogic products now that I have seen the capabilities of a couple of the support folks. If someone from ScriptLogic wants to contact me, that is great, you can find the email address, I’m in the book. I would love to hear about any plans for correcting the the knowledge level of your Senior Systems Engineers. One of my really good friends is an AD Trainer who is the best in the business that you should pay triple to get in ASAP for a week or three. He gets called in to help Train MSFT ITG and PSS folks and teaches them a lot, your support folks would likely have brain overload.
joe
[1] This is something I refuse to detail. It is stupid to give out details on how to hack computer systems when there is no way to block the attacks. If someone is bright enough to figure it out, bully for them but don’t publish the details as a whole bunch of people who wouldn’t normally be able to figure it out won’t be playing with it then. The last thing we need is someone to produce some automated tool that will hack an AD if it figures out some “admins” userid has enough rights to get in because some DA was silly enough to give out the rights thinking it was safe. Yes I agree security by obscurity sucks but if you have nothing else you don’t have a whole lot of choice. The best thing DAs can do is lock down who can do what to a bare minimum (meaning NO rights on DCs to non-DAs).
Interesting… that’s about all I can say. I wonder who’s right? 😉
I agree with you on the security issue but I don’t think its fair to knock an entire company just becuase of 2 clueless support employees.
I dont work for Scriptlogic and have never used thier products but if i used the assumption that if some employees of a company are a little dense, then that company/product stink, i’d never use anything from anyone including MS products.
It seems to me that even at MS,employees dont know AD that well(read Exchange team) including some PSS support people i’ve had the misfortune of speaking with.
However, i know the product they produce(AD,even Exchange) is a good one and that somewhere there are really knowldgeable people waiting to help me.
Its just the luck of the draw on who you get.
So maybe ScriptLogic deserves a little slack(and patience) here.
Trust me, I’m not in the bussiness of defending corporations but some of them actually produce a good product if you get all the marketing and cluless employees out of the way long enough to see 🙂
Thanks.
P.S.- I love the AD cat book 3rd ed and I’m wondering(I know from reading your posts on activedir.org that this is a lot to ask), if you would ever consider writing an equivalent one on Exchange 2k/2k3/2k7?
I know you contributed to the Exchange Cookbook and the Exchange stuff in the AD Cookbook, but a good definitive honest book on Exchange ala the cat book is much needed out there.
Thanks again.
Fred: 😉
Tom: I see where you are coming from. Even now a third scriptlogic employee has now jumped into the fray with the same misunderstandings. I vary my thoughts on the quality of the folks based on the size, for instance, 50,000 employees or larger, you can expect to run into quite a few numbskulls. Small software orgs with a limited set of products whose support people hunt through the newsgroups… well those I don’t expect to see many numbskulls as you have to figure the support team isn’t all that large. Certainly you can’t compare ScriptLogic to a Microsoft or an IBM or a Unisys or HP in size or support org size. Any one of those companies probably fires more people in a week than ScriptLogic has for support analysts.
Plus you can look at Microsoft and generally say you have met some incredibly smart people. I know I have met people whose lunch boxes I might be qualified to carry. Maybe. But I have met some completely worthless folks as well. Generally the closer to Redmond you get, the better the quality but there are examples to the contrary both ways. I have met amazing folks in the field and met some boobs on MSFT Campus. ScriptLogic could have some amazing tools that do amazing things but at the moment, 100% of the people I have dealt with from ScriptLogic appear to be pretty low on the totem pole in terms of understanding Active Directory.
Ummm, on the writing a book like the Cat Book for Exchange… Very unlikely to happen. 🙂 First off I haven’t even looked at E12 yet other than some cursory discussions with the Exchange Dev folks and some other discussions and also because I really like to understand something before I try to write something about it and I am not strong in enough of Exchange to write a book on it.
joe
Wow that newsgroup thread started to get heated there. Jorge really broke it down to the guys.
You have been consistent on this subject though, you have also posted similar comments to a hack in the O’Reilly “hacks” series. Those guys publish your book so you seem to always stand by the right answer regardless of who is giving out the bad info.
http://www.oreillynet.com/pub/h/1172
It will be interesting to see if you receive any offline mail from people at scriptlogic once everyone comes back to work next week and hears about this discussion.
I just checked out some of Michael’s other posts. In one post he asks if a local GPO would over ride other GPO’s. So I’m not sure what he is talking about there either…seems like we may have a pattern here.
Yep, Jorge pointed out some good points. I am contemplating taking the list of instructions and further breaking it down. I am not positive yet, but I am thinking I want to get something out there that will live for a while and that people can point at and say this is why it can’t be done. I implied in one of my responses in the newsgroup that people should go look at some of the other posts from the folks involved. Michael does indeed have a history of poor uninformed responses around Windows including GPO, Registry, AD, etc.
As for being consistent in how I do things.. yep, that is how I roll. 😉 Seriously, if something says something wrong and I know it is wrong I try to correct it. Even if it is myself that previously said it and I have learned differently since.