joeware - never stop exploring... :)

http://h71028.www7.hp.com/enterprise/cache/523434-0-0-0-121.html

I always chuckle when I or someone else mentions a feature of AdFind (or really any of the utilities from my website) and then someone else who uses it regularly says “Wow, I didn’t know it did that…”. This has happened a couple of different times in a couple of different forums.

Well in the new LDP in Longhorn, err excuse me, Windows Server 2008, Dmitri made it so the output of the attributes is in alphabetical order. I had several people suggest that I should add that functionality. At first I was like, yeah cool, good idea. Then I realized it is already in there, it is enabled with a switch called -soao which stands for (S)ort (O)rder (A)ttribute (O)utput. I put this in a few years ago when I spoke to Jerold at the MVP summit and he asked me to add it in for him.

Why, you ask, don’t you make this the standard??? Because it does add overhead, not very much (usually), but I perceive that I can feel it in the running of the utility when dumping large numbers of objects… Yes yes, overly sensitive but I do run AdFind A LOT.

   joe

I had no idea that Jerold retired, I just stumbled upon the fact when going to get a link for his web page for another blog entry. I saw this announcement: http://www.jsiinc.com/aboutJSI.htm  I am just shocked by this… I’m being selfish but the site has been such a mainstay in my life the last 10 or so years that I almost feel like someone should have come and explained this to me or alerted me. 😉

I wonder if this is why I didn’t see him milling around the last MVP Summit in March. Kind of odd not seeing him there. I heard quite a few people asking the question “Hey where’s Jerold?” No one seemed to know.

It appears he gave or sold the old reghacks (jsifaq) site to Windows IT Pro Magazine, I hope he did indeed sell it and made out well on it.

I want to give a huge personal thanks to Jerold for his years of service and all of the tips he posted on his site. I first started using his site in the late 90’s and still to this day go and find things there.

Congratulations on the retirement Jerold.

   joe

It seems the last couple of weeks have been heavy security weeks for me. Dealing with all sorts of security issues that quite frankly, never should have been issues to begin with but I think the knowledge level of Windows Security and how Windows works[1] is so poor in general that stupid things that never should be an issue grow to be huge issues. Hearing about the issues in the first place can be bad. It can be absolutely disheartening when you dig in and start getting a real feel for how bad it really is and realize it is industry wide. There are few people who are truly good with Windows core functionality understanding and security.

So anyway, through all of the stupidity and lack of true understanding of how things work I thought once again how nice it would be to have a “read-only administrator” group. I used that name only to give a quick functional understanding of what I am trying to describe. Basically a group that when you are placed in it, you get all of the ability to SEE/QUERY/VIEW/BROWSE anything an administrator of that machine would be able to SEE/QUERY/VIEW/BROWSE but no opportunity at all to make a change. Maybe call the group something like “Auditor Admin” or something like that. I really don’t care a whole lot about the name, I just need that functionality. In some places it may be more fitting for that to be several groups so you can granularly assign it but I don’t mind just starting out with a quick basic do everything an admin can do but change things to get started.

Some things right now you can set up this sort of access, say you want to look at service status or settings or you want to look at but not be able to muck with event logs, these things you can do with delegation. Depending on how the delegation is done, you may or may not be able to use standard tools to look at the info. Also I guess it depends on the tool, any tool that assumes that if you want to do that you also need to be able to change something so tries to grab that right or just tries to do it and then fails wouldn’t be much help in this situation. Not everything can be delegated this way though, there are various API calls that just won’t work unless you are an admin. Even if it could, I would still like this one stop shopping group so I could quickly throw someone in it and not have to think, ok so how do I delegate every one of these single individual things because this person truly just should be an admin without the ability to make changes…..

Why would this capability be good? Well I would hope it would be self obvious but if it isn’t, it is so you can give the group membership to someone who needs to be able to see anything an admin can see (like an auditor or maybe a senior level consultant/troubleshooter) but you absolutely, positively, don’t want them changing a thing. Auditors are a good thing, auditors who actually have a clue about Windows when they are auditing Windows is an even better, actually a great thing. In general though, I think you are asking for a lot if you expect them to know Windows but they still think they need to be able to look at everything on a system to make sure that “the admins” are being good even though even if they do look at anything they can’t properly judge what it all means since they don’t actually truly understand the environment and how it works.

Additionally, the only way many of these auditors feel this can be done is to put them in the admins group because that is all they know. First off, there is a huge issue there… They are no longer an independent arms length variable in the equation… now that they are in the admins group, they are just like the other admins who need to be watched, having auditor in their title doesn’t alleviate that and in fact, I would argue they need to be watched closer because they aren’t responsible for the server they have the rights on and almost certainly don’t have the knowledge or understanding to fix anything they accidentally break and are, IMO, more likely to break something given their lack of understanding. Giving auditors admin access to a server is not only a bad idea, it is a terrible idea from this standpoint. If someone says I need to be able to see something, the answer shouldn’t be, “all right then, I will make you an admin, cheers!”. Anyone who goes straight to that answer probably needs to be off in another job.

I mentioned this problem space when I was out in Redmond at the MVP summit to the folks in charge of monitoring and writing up the Service Modeling Language as I think that would be a good angle to attack it. Monitoring in large orgs has the same type of issue, for instance you want to use one standard monitoring group to save money, but you don’t want them having admin rights on every single server do you??? They are people who are supposed to be watching for problems, not the people who should be configuring the servers and causing their own problems. If you have a large org with thousands of servers you could have 3,4,5 or more entirely unconnected different server support groups responsible for different groups of servers. To do it safely/securely right now, you need a separate monitoring infrastructure for each group that is run by that group. Otherwise you bite the bullet and say well the monitoring people have admin rights across all of those servers. That means a screwup in monitoring could hit all servers or a virus on a monitor server could hit all servers… When was the last time you saw a dedicated monitoring group who truly understood the platforms they were monitoring. I haven’t met someone like that yet for Windows. At best they understand their monitoring software, everything outside of that is up for grabs. And you just made them admins on all of your servers…

When I spoke to the Dev teams in Redmond I said this would be great for Longhorn, LHR2, etc. But the more I think about it and the more pain I feel because of it not existing already the more I think this would be a great Security Initiative thing for MSFT to work on and get into the current products as well as future products ASAP. Say XP SP2, K3 SP2, Vista and anything newer should all be able to have this capability. Primarily I want it on the server OS but I know a lot of folks who would likely want it on the client OS as well. That being said, I have little faith something like this could be done in any short period of time and I think we would be lucky to see something by LH R2.

Now don’t go away disgusted and thinking, well if we can’t do it that way, well we just aren’t going to do anything right, we will just assume full admin rights and write everything around doing it that way. Way bad idea. How about instead trying to do everything with as minimal rights as possible and then fully documenting the things you find that you can’t do with a normal user ID and then work with others to see what can be done about fixing that. Any security team or auditing team or developer group that thinks, “well we will be running as administrator or LocalSystem so we don’t have to worry about how we gather the info” is someone who should strongly reconsider their stand or someone that management should strongly consider repurposing.

So what do you think?

   joe

[1] Knowledge of which, IMO, is a prerequisite for having any ability to say you understand security for the platform.

How come I can’t configure Windows such that all AT scheduled tasks run as a specific userid or security principal? Why is it automatically going to run as the most powerful security principal on the machine? At least under NT4 we could set the scheduler service up to run as some other ID and it would run that way and launch AT Scheduled jobs that way. We lost that ability when Task Scheduler functionality came around. Alternately maybe we need the ability to disable AT scheduled jobs entirely and only allow Task Scheduler type jobs.

I don’t know, I need to look closer at it all I think.

Then consider trying this following command (all one line) and testing how everything works. If you find something bad that happens in Windows, let me know so I can feed that info back to the people who need to know.

adfind -schema -f objectcategory=attributeschema searchflags -adcsv | admod -unsafe searchflags::{{.:SET:512}} -cont

I have done this in a couple of forests now with no meltdowns but admittedly the level of testing I get to do on Longhorn right now is minimal at best. Most days I am happy to be working on Windows Server 2003 or better and thrilled to work on AD.

This will mark attributes to not be replicated to the RODCs. It won’t succeed in marking every attribute this way (unless you are sneaky about it) but in a default Longhorn Schema it will mark over 1000 attributes to be excluded.

Why should you do this?

The first reason is so if there is a problem with one or more of those attributes being marked that way, Microsoft can correct that prior to releasing the product to the street and hopefully prevent someone from having a problem.  

The second reason and the reason that I initially thought of was so you can set up RODCs to have a very minimal attribute set replicated to them. The locations that RODCs are most likely going in to will be WAN sites and generally WAN sites have your worst network connectivity and no need for all of the data in the directory. Actually you usually just need the NOS attributes in the WAN site so you can log on. Having the ability to trim down the set of attributes replicated to those RODCs means less bandwidth and less churn in general since there are less attributes that you have to worry about being updated.

The third reason is to do something you may not normally do. People should play with their test labs and do things they wouldn’t normally do so they can learn what Windows does in those conditions. You may find bugs, you may learn something you wouldn’t know otherwise. You may remember something later that you see in production that reminds you of something you screwed up in the lab and figured out how to fix. A little secret here… A lot of folks are always asking how I got to learn so much about Windows. Some of it was picked while I did admin work. Some of it was picked up while I tried to answer questions for others who were having issues. A lot of it was picked up while reading the Platform SDK to figure out how to write programs to run on Windows to do various things (plus I just like to browse the SDK to find new things that MSFT hasn’t written tools/interfaces for or wrote tools/interfaces that didn’t expose all of the functionality). And finally a lot of it was picked up by doing absolutely insane things to my test lab and seeing how Windows handled it and if it was broken, trying to fix it again. Then if I figured out how to fix it I would purposely break it again just to make sure my methods for fixing it worked and try to better understand why it broke, when it could break like that on its own (or through someone’s stupidity) and better understand why the methods that fixed it worked and if there is anything else that might work. If you run some test machines and you just let it sit there idling in some standard config, that is fine if it is for testing things for your production environment, but if they are true R&D test whatever machines, beat them up. With the cost of virtualization so cheap now there really is no excuse to not have some beat up machines laying around that you can do insane things to and see how they react and what it takes for you to fix them again.

    joe