Last Articles

Most popular password

Network Information Security: Myths and Realities Omnipotence hackers

Hackers and crackers, or what is good and what is bad?

Chronology of the ARPANET - INTERNET

Protection system in Windows - Fact or Fiction

The basic principles of security

Manager SAM and Active Directory

Administrative boundaries: the forest or domain?

Can you trust a domain that is connected to the Internet?

Идентификаторы защиты (SID)

Why can not I log in as an administrator from any location?

Network security model and resource sharing

Remote attacks on distributed computing systems

Characteristics and mechanisms of implementation of standard remote attacks

Fake ARP-server on the Internet

False DNS-server on the Internet

Substitution of one of the subjects TCP-connections on the Internet

Malfunction host on the network

Mythical remote attacks on the Internet

Dedicated channel communication between objects distributed CS

Can you trust a domain that is connected to the Internet?

  We are often asked the question: Is it worth creating a separate timber to add to the organization of domains with limited trust relationships? This question is particularly relevant when creating a domain that is available on the Internet, for example, a domain to support the Web-server. In this situation, you can go one of two ways. You can create a separate forest / domain and set it to clear one-way trust relationship to the old method for the main timber to protect the forest from the potential danger emanating from the domain / forest that is connected to the Internet. In this case, you lose the advantage of using a common directory for all domains and there is a need to manage multiple forests. A second option is to add a domain that is connected to the Internet, in an organizational unit (OU) within the domain, which is administered by reliable personnel. The administrator of organizational unit must be able to control only those objects which are in his unit.

  Even if the administrator account is compromised, the rest of the timber will be inflicted minimal damage.

  The consequences of breaking the domain

  So what would happen if the domain is compromised? Suppose a hacker tries to enter the network via a domain controller that is connected to the Internet, or a disgruntled employee decided to play the evil domain administrator. That's what they may try to do, given the weight that has been said in this section about the safety of the forest, wood, and domain.

  At least at risk all other domains in the forest, since the members of the Domain Admins group domains in the forest can become owners of the container configuration (Configuration) in Active Directory, change the data in this container and replicate configuration changes on each domain controller of the forest.

  If the compromised domain authenticated accounts of external domain, the attacker can get these autentifikaiionnye data from the cache service LSA Secrets (see Chapter 8, "Extending the scope of influence"), extending its influence over other domains in the forest.

  And finally, if hacked root domain, members of the Enterprise Admins group and the Schéma Admins can control any parameter of any domain in the forest, unless the rights of members of these groups were not limited by hand.

Top 5 most read

The basic rules of safe behavior on the Internet

Manager SAM and Active Directory

You forget your password. What should I do? Part 3

Social engineering as a way of committing crimes in the sphere of computer information

Идентификаторы защиты (SID)

Copyright © 2010 BRV ISTCOM S.R.L.- раскрутка сайта