Last Articles

Most popular password

Fake ARP-server on the Internet

Why can not I log in as an administrator from any location?

Идентификаторы защиты (SID)

Can you trust a domain that is connected to the Internet?

Administrative boundaries: the forest or domain?

The basic principles of security

Protection system in Windows - Fact or Fiction

Chronology of the ARPANET - INTERNET

Network Information Security: Myths and Realities Omnipotence hackers

Network security model and resource sharing

Remote attacks on distributed computing systems

Characteristics and mechanisms of implementation of standard remote attacks

Administrative methods to protect against remote attacks on the Internet

Control of virtual connections in the distributed CS

Control over route messages to the distributed CS

Pros and cons of a distributed aircraft with dedicated channels

Mythical remote attacks on the Internet

Malfunction host on the network

Substitution of one of the subjects TCP-connections on the Internet

Can you trust a domain that is connected to the Internet?

  We are often asked the question: Is it worth creating a separate timber to add to the organization of domains with limited trust relationships? This question is particularly relevant when creating a domain that is available on the Internet, for example, a domain to support the Web-server. In this situation, you can go one of two ways. You can create a separate forest / domain and set it to clear one-way trust relationship to the old method for the main timber to protect the forest from the potential danger emanating from the domain / forest that is connected to the Internet. In this case, you lose the advantage of using a common directory for all domains and there is a need to manage multiple forests. A second option is to add a domain that is connected to the Internet, in an organizational unit (OU) within the domain, which is administered by reliable personnel. The administrator of organizational unit must be able to control only those objects which are in his unit.

  Even if the administrator account is compromised, the rest of the timber will be inflicted minimal damage.

  The consequences of breaking the domain

  So what would happen if the domain is compromised? Suppose a hacker tries to enter the network via a domain controller that is connected to the Internet, or a disgruntled employee decided to play the evil domain administrator. That's what they may try to do, given the weight that has been said in this section about the safety of the forest, wood, and domain.

  At least at risk all other domains in the forest, since the members of the Domain Admins group domains in the forest can become owners of the container configuration (Configuration) in Active Directory, change the data in this container and replicate configuration changes on each domain controller of the forest.

  If the compromised domain authenticated accounts of external domain, the attacker can get these autentifikaiionnye data from the cache service LSA Secrets (see Chapter 8, "Extending the scope of influence"), extending its influence over other domains in the forest.

  And finally, if hacked root domain, members of the Enterprise Admins group and the Schéma Admins can control any parameter of any domain in the forest, unless the rights of members of these groups were not limited by hand.

Top 5 most read

The basic rules of safe behavior on the Internet

What to do if you forget the BIOS password

How to crack passwords?

Social engineering as a way of committing crimes in the sphere of computer information

You forget your password. What should I do? Part 3

Copyright © 2010 BRV ISTCOM S.R.L.- раскрутка сайта