|
|
Articles
Q. Can a read-only domain controller
(RODC) write to its database?
by John
Savill
1.14.08
A. The name "read-only domain controller" implies
that its database is read-only, and it is in nearly all situations,
except for one group of attributes.
If a user requests a write operation to an RODC, the RODC forwards the
request to a read-writable domain controller (RWDC), which then
replicates the changes back to the RODC. If an application tries to
write to an RODC, the RODC responds with a referral notifying the
application that it needs to write to an RWDC (which will crash some
applications that don't handle referrals).
Now, imagine that you have a branch-location RODC that loses its hub
connectivity, so it can't contact an RWDC, and during this outage,
someone tries to hack an account. With normal connectivity, the
BadPwdCount would increment, and, after a password-policy designated
number of attempts, the account would lock out. If the RWDC can't be
contacted, and the RODC can't write to its database, the BadPwdCount
would never increment and the account would never lock out, leaving the
RODC vulnerable. For this reason, an RODC can write logon-count
attributes—such as BadPwdCount and LastLogon—to its database,
allowing an account to lock out.
Q. Why shouldn't I use a
domain-administrator account to log on to a read-only domain controller
(RODC)?
by John
Savill
4.15.08
A. The fact that it's an RODC isn't the crucial
factor. RODCs typically aren't secure because they're in branch offices
or somewhere else exposed to physical attack.
RODCs expressly deny caching domain-administrator account credentials.
You should use your administrator credentials only on secure terminals.
Someone that controls a box can run a keylogger to capture plain-text
passwords, hijack the session with local control, or configure a bad
policy to run at logon.
The best practice is to never log on to an RODC as a full domain
administrator, and never access an RODC by remote desktop protocol (RDP)
as a domain administrator. Instead, use Windows Remote Shell or Windows
Remote Management to run RODC commands, or use Microsoft Management
Console (MMC) in remote mode. Otherwise, you could give away credentials
from a compromised box. This rule of thumb not only applies to RODCs but
also to any potentially unsecure box.
You should decide how practical these options are for your environment.
It's far easier to use RDP to access a remote box than run remote
commands and MMC snap-ins.
Q. How is Windows BitLocker Drive
Encryption vulnerable to a cold-boot attack?
by John
Savill
4.16.08
A. There's been a lot of recent press about this
vulnerability. Here's how it works. When you turn off your computer, RAM
keeps information stored on its chips for as long as 30 seconds (or as
short as 2.5 seconds), or possibly several minutes if you cool the RAM
chips first. This is mainly a DRAM problem. SRAM works differently and
is less vulnerable (but not immune). When SDRAM loses its power, it
loses its information.
A cold-boot attack powers off a computer, then boots it to a special
program that copies the memory contents to a USB drive. The hacker then
scans the memory dump for the stored information and extracts disk
encryption keys.
To protect your equipment against these attacks, exercise good
physical-server security and disable the ability to boot from a USB
device. This protection won't stop an attack, but it will make it more
difficult. If an attacker physically has a box, he or she can power it
down, remove the RAM, and put it in another box (unless you solder the
RAM to the motherboard). Always power down laptops—don't leave them in
sleep mode. Using a Trusted Platform Module (TPM) won't help because the
TPM initially stores the key, then puts it in memory for decryption.
A Princeton University video of a cold-boot attack is available at http://www.hackaday.com/2008/02/21/breaking-disk-encryption-with-ram-dumps/. The companion paper is at http://citp.princeton.edu/pub/coldboot.pdf.
Q. What are the types of IPv6
address?
by John
Savill
4.17.08
A. IPv4 addresses are pretty easy. Typically,
there’s one IP address for each adapter, which might be an
Internet-addressable IP address (unlikely), or a company or home
network, and address translation is performed for Internet
communications. The IP address could be statically configured,
dynamically assigned via DHCP, or automatically generated by the
computer if DHCP is unavailable.
IPv6 addresses are a bit more complex. Each IPv6 adapter can have a
number of IP addresses types:
- Global Unicast Addresses–These addresses are similar to public
IPv4 addresses, routed across the entire IPv6 Internet and allocated by
the Internet Assigned Numbers Authority (IANA, at www.iana.org). Global Unicast
addresses always have the first three bits set to 001. The following 45
bits make up a Global Routing Prefix, which is unique for each
organization. The organization uses the last 16 bits for subnets.
- Link-Local Addresses–These addresses are the equivalent of
Automatic Private IP Addressing (APIPA) for IPv4, which uses the
169.254.0.0/16 network. They’re assigned to hosts that don’t have IP
addresses and can't contact a stateful configuration server (such as a
DHCP server). Link-local addresses may only be used to communicate with
same-network nodes. Link-local addresses all start with fe80; the
remaining network address bits are zeroed out because link-local
addresses don't use subnets.
- Unique Local Address–These addresses are the replacement for
site-local addresses (which were part of earlier IPv6 standards).
They’re designed to be used only within an organization. The first
eight bits are always 11111101, meaning all unique-local addresses start
with “fd." The next 40 bits make up the global ID, which can be used
to identify buildings or locations within an organization. The last 16
network ID bits comprise the subnet ID, allowing multiple subnets within
a single location. Make sure the global ID is made with random numbers
to future-proof your network in case of a possible merger with another
network. If both organizations use "10" as a global ID, you'd have a
problem. It's unlikely that two organizations' IDs would overlap if the
global ID were made of random numbers.
Q. Is there a maximum number of
fine-grain password policies (FGPPs) in a single
domain?
by John
Savill
4.18.08
A. No, there's no fixed limit; it's just an
object. However, you don't need many combinations, so in most
environments, three to 10 FGPPs are enough.
Events & Resources
Security Horror Story
Contest!
Tell us about a security hole that you found, a virus
that shut down your network, an embarrassing or scary near-miss, or
direct hit. (Be sure to describe how you solved the problem too.) We'll
print the best tales in a Windows IT Pro cover story
(anonymously, if you like), and you'll win a one-year Windows IT
Pro VIP subscription.
This includes access to every article ever printed in Windows IT
Pro, SQL Server Magazine, Exchange and Outlook Pro VIP,
Scripting Pro VIP, and Security Pro VIP.
Send your security horror stories (no more than 500 words) to Lavon
Peters (lavon.peters@windowsitpro.com) by May 9.
Message One White Paper: Five
Essential Considerations for Exchange 2007
Implementations
For most organizations, taking full advantage of
Exchange 2007's features will require a substantial investment. Unlike
previous upgrades, Exchange 2007 requires the replacement of existing
servers with new 64-bit hardware and software. Read this white paper to
understand the considerations involved and get tips you can use to
leverage your Exchange 2007 upgrade.
http://windowsitpro.com/Whitepapers/Index.cfm?fuseaction=ShowWP&WPID=5da6e1d6-cae8-44fe-893a-700ea3e743e4&code=041608er
New Newsletter! Virtualization
UPDATE
From the data center to the desktop, virtualization is
having a far-reaching impact on the IT industry. Delivered directly to
your inbox twice a month, Virtualization UPDATE gives you the
information you need to stay ahead in this rapidly growing segment of
the IT marketplace. Subscribe today--it's free! Click on the
following URL to automatically sign up for a free subscription:
http://www.windowsitpro.com/email/dsp_SubscribeConfirmation.cfm
Data Protection and Disaster Recovery
Tips eBook
Regardless of the type of disaster that might befall
your organization, the response is usually similar. You can make a
disaster-recovery plan based on factors such as the expected duration of
recovery and the impact of the disaster on your facilities and the
surrounding areas. This eBook will help you prepare a disaster plan that
works for your organization.
http://www.windowsitpro.com/go/ebooks/ca/disaster/?code=041608e&r
Featured White Paper
Network Access Control: Managing
Unauthorized Computers
This white paper will discuss how Network Access Control
(NAC) handles rogue computers, how to fit NAC into any environment, the
main components to look for in a NAC solution, and the results you can
expect when you put a NAC solution into place. Download this white paper
to ensure that your company can combat today's threats while remaining
nimble enough to address tomorrow's.
http://www.windowsitpro.com/go/wp/sophos/nac/?code=041608e&r
Announcements
EXCHANGE 2007 Mastery Series -- May
29, 2008
3 information-packed eLearning seminars for only
$99!
Hosted by Windows IT Pro
Join Mark Arnold, MCSE+M and Microsoft MVP, as he coaches you through
server management in Exchange 2007:
- Learn the Pros and Cons of Your Mailbox High-Availability Options
- See Real-World Examples of Transport Rules You Can Implement in Your
Environment
- Windows PowerShell: Get Started with Basic Commands
For more information and to register, go to http://windowsitpro.com/elearning/index.cfm?fuseaction=dynamic&v=5119&p=5161&code=&eventid=29&code=update
Check out all the info-packed
publications offered by Windows IT Pro!
If you're receiving the HTML version of this email
newsletter, click "Our Publications" in the menu bar; otherwise, click
the link below:
https://store.pentontech.com/index.cfm?s=1&cid=18000306&promotionid=18003253&code=
|
|
If you use a product that has made a tremendous impact in your
organization and is a product that you can't live without, tell us about
it at whatshot@windowsitpro.com
and we'll feature your review in a future issue of the magazine, under
the "What's Hot" section.
|
|
Back to newsletter list
