Sign in with
Sign up | Sign in
Your question

Is it possible to prevent ownership replacing in a forest?

Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
January 12, 2005 4:17:04 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Situation: a forest consisting of a root domain and a child domain, all with
Win2003.
Is it possible to prevent admins from a child domain to do some tasks or
replace ownership to their own in the child domain?

Simple example: I create a folder on a child domain's DC and want to leave
access to only Enterprise Admins from root domain. I set all the perms, take
ownership to Ent. admins., but child domain's admin still easily can re-take
ownership and change ACL.

Is it possible to solve?

Thanks,
Gera
Anonymous
a b 8 Security
January 12, 2005 2:27:29 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi Gera,

one option would be to run a script using

Takeown

tool that comes with Windows 2003. It can assign ownership to another user
and therefore prevent user that created this folder to take ownership in the
future.

I hope this helps.

--
Mike
Microsoft MVP - Windows Security

"Gera" <Gera@discussions.microsoft.com> wrote in message
news:21E1AE0C-47D6-4F38-BCDD-95ACE6932AAD@microsoft.com...
> Situation: a forest consisting of a root domain and a child domain, all
> with
> Win2003.
> Is it possible to prevent admins from a child domain to do some tasks or
> replace ownership to their own in the child domain?
>
> Simple example: I create a folder on a child domain's DC and want to leave
> access to only Enterprise Admins from root domain. I set all the perms,
> take
> ownership to Ent. admins., but child domain's admin still easily can
> re-take
> ownership and change ACL.
>
> Is it possible to solve?
>
> Thanks,
> Gera
Anonymous
a b 8 Security
January 12, 2005 3:39:41 PM

Archived from groups: microsoft.public.win2000.security (More info?)

And even the child domain's admin will be unable to take ownership?
Is it really so?

I am concerned only in "protection from dom. admins"....

--
Gera


"Miha Pihler [MVP]" <mihap-news@atlantis.si> wrote in message
news:o %23VwnEJ%23EHA.3120@TK2MSFTNGP12.phx.gbl...
> Hi Gera,
>
> one option would be to run a script using
>
> Takeown
>
> tool that comes with Windows 2003. It can assign ownership to another user
> and therefore prevent user that created this folder to take ownership in
the
> future.
>
> I hope this helps.
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Gera" <Gera@discussions.microsoft.com> wrote in message
> news:21E1AE0C-47D6-4F38-BCDD-95ACE6932AAD@microsoft.com...
> > Situation: a forest consisting of a root domain and a child domain, all
> > with
> > Win2003.
> > Is it possible to prevent admins from a child domain to do some tasks or
> > replace ownership to their own in the child domain?
> >
> > Simple example: I create a folder on a child domain's DC and want to
leave
> > access to only Enterprise Admins from root domain. I set all the perms,
> > take
> > ownership to Ent. admins., but child domain's admin still easily can
> > re-take
> > ownership and change ACL.
> >
> > Is it possible to solve?
> >
> > Thanks,
> > Gera
>
>
Related resources
Anonymous
a b 8 Security
January 12, 2005 3:39:42 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi,

Yes, you are right; administrators will always be able to take ownership of
the folders.

In this case, you might want to thing about EFS. If setup correctly it can
protect information from administrators in child domain.

I know this is easier said then done but domain administrators (even in
child domain) should be trusted person -- or should not be a domain
administrator.

--
Mike
Microsoft MVP - Windows Security

"Gera" <gera@ @lukrecija.lt> wrote in message
news:%23vWC4LJ%23EHA.2580@TK2MSFTNGP15.phx.gbl...
> And even the child domain's admin will be unable to take ownership?
> Is it really so?
>
> I am concerned only in "protection from dom. admins"....
>
> --
> Gera
>
>
> "Miha Pihler [MVP]" <mihap-news@atlantis.si> wrote in message
> news:o %23VwnEJ%23EHA.3120@TK2MSFTNGP12.phx.gbl...
>> Hi Gera,
>>
>> one option would be to run a script using
>>
>> Takeown
>>
>> tool that comes with Windows 2003. It can assign ownership to another
>> user
>> and therefore prevent user that created this folder to take ownership in
> the
>> future.
>>
>> I hope this helps.
>>
>> --
>> Mike
>> Microsoft MVP - Windows Security
>>
>> "Gera" <Gera@discussions.microsoft.com> wrote in message
>> news:21E1AE0C-47D6-4F38-BCDD-95ACE6932AAD@microsoft.com...
>> > Situation: a forest consisting of a root domain and a child domain, all
>> > with
>> > Win2003.
>> > Is it possible to prevent admins from a child domain to do some tasks
>> > or
>> > replace ownership to their own in the child domain?
>> >
>> > Simple example: I create a folder on a child domain's DC and want to
> leave
>> > access to only Enterprise Admins from root domain. I set all the perms,
>> > take
>> > ownership to Ent. admins., but child domain's admin still easily can
>> > re-take
>> > ownership and change ACL.
>> >
>> > Is it possible to solve?
>> >
>> > Thanks,
>> > Gera
>>
>>
>
>
Anonymous
a b 8 Security
January 12, 2005 3:51:19 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Admin access is god access, you can not prevent them from doing things on the
boxes they are admin on.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Gera wrote:
> Situation: a forest consisting of a root domain and a child domain, all with
> Win2003.
> Is it possible to prevent admins from a child domain to do some tasks or
> replace ownership to their own in the child domain?
>
> Simple example: I create a folder on a child domain's DC and want to leave
> access to only Enterprise Admins from root domain. I set all the perms, take
> ownership to Ent. admins., but child domain's admin still easily can re-take
> ownership and change ACL.
>
> Is it possible to solve?
>
> Thanks,
> Gera
Anonymous
a b 8 Security
January 12, 2005 4:22:35 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Yes, I felt that...
Thanks for make me sure.

What about Group Policy, created in the root domain and linked to in the
child?
By default, child dom. admins can't edit, but can delete link.
Is it the same situation or it is possible to restrict this?

--
Gera


"Miha Pihler [MVP]" <mihap-news@atlantis.si> wrote in message
news:eLVBCVJ%23EHA.2180@TK2MSFTNGP12.phx.gbl...
> Hi,
>
> Yes, you are right; administrators will always be able to take ownership
of
> the folders.
>
> In this case, you might want to thing about EFS. If setup correctly it can
> protect information from administrators in child domain.
>
> I know this is easier said then done but domain administrators (even in
> child domain) should be trusted person -- or should not be a domain
> administrator.
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Gera" <gera@ @lukrecija.lt> wrote in message
> news:%23vWC4LJ%23EHA.2580@TK2MSFTNGP15.phx.gbl...
> > And even the child domain's admin will be unable to take ownership?
> > Is it really so?
> >
> > I am concerned only in "protection from dom. admins"....
> >
> > --
> > Gera
> >
> >
> > "Miha Pihler [MVP]" <mihap-news@atlantis.si> wrote in message
> > news:o %23VwnEJ%23EHA.3120@TK2MSFTNGP12.phx.gbl...
> >> Hi Gera,
> >>
> >> one option would be to run a script using
> >>
> >> Takeown
> >>
> >> tool that comes with Windows 2003. It can assign ownership to another
> >> user
> >> and therefore prevent user that created this folder to take ownership
in
> > the
> >> future.
> >>
> >> I hope this helps.
> >>
> >> --
> >> Mike
> >> Microsoft MVP - Windows Security
> >>
> >> "Gera" <Gera@discussions.microsoft.com> wrote in message
> >> news:21E1AE0C-47D6-4F38-BCDD-95ACE6932AAD@microsoft.com...
> >> > Situation: a forest consisting of a root domain and a child domain,
all
> >> > with
> >> > Win2003.
> >> > Is it possible to prevent admins from a child domain to do some tasks
> >> > or
> >> > replace ownership to their own in the child domain?
> >> >
> >> > Simple example: I create a folder on a child domain's DC and want to
> > leave
> >> > access to only Enterprise Admins from root domain. I set all the
perms,
> >> > take
> >> > ownership to Ent. admins., but child domain's admin still easily can
> >> > re-take
> >> > ownership and change ACL.
> >> >
> >> > Is it possible to solve?
> >> >
> >> > Thanks,
> >> > Gera
> >>
> >>
> >
> >
>
>
Anonymous
a b 8 Security
January 12, 2005 8:33:24 PM

Archived from groups: microsoft.public.win2000.security (More info?)

<snip>
> What about Group Policy, created in the root domain and linked to in the
> child?
> By default, child dom. admins can't edit, but can delete link.
> Is it the same situation or it is possible to restrict this?

I never tried this, but my guess would be _no_ since it is "theirs"
domain... Again it comes down to trust. You also have to be aware that
domain is not a security boundary; forest is. There are quite few attacks
against the forest possible if users have physical access to domain
controllers even if these domain controllers are only for child domain. If
these users are also (child) domain administrators these attacks can be
carried out in even simpler manner. Child domain administrator could take
ownership of the forest...

So if you don't trust your domain administrators think about removing these
permissions from them and assigning (delegating) them only permissions that
they need for their work.

Feel free to post back if you need more information...

--
Mike
Microsoft MVP - Windows Security
Anonymous
a b 8 Security
January 12, 2005 8:33:25 PM

Archived from groups: microsoft.public.win2000.security (More info?)

This is what separate forests are for. If you truly believe these domain
administrators are people who you can't fully trust, then your first choice
should be to replace these people.

If you can't do that, then your other choice is to create a separate *forest*.
This is the only way you can keep their actions isolated from the rest of
your environment. You also must not allow these people to have physical access
to the domain controllers of the rest of your environment, either.

Steve Riley
steriley@microsoft.com



> <snip>
>
>> What about Group Policy, created in the root domain and linked to in
>> the
>> child?
>> By default, child dom. admins can't edit, but can delete link.
>> Is it the same situation or it is possible to restrict this?
> I never tried this, but my guess would be _no_ since it is "theirs"
> domain... Again it comes down to trust. You also have to be aware that
> domain is not a security boundary; forest is. There are quite few
> attacks against the forest possible if users have physical access to
> domain controllers even if these domain controllers are only for child
> domain. If these users are also (child) domain administrators these
> attacks can be carried out in even simpler manner. Child domain
> administrator could take ownership of the forest...
>
> So if you don't trust your domain administrators think about removing
> these permissions from them and assigning (delegating) them only
> permissions that they need for their work.
>
> Feel free to post back if you need more information...
>
Anonymous
a b 8 Security
January 13, 2005 1:03:39 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Thank for reply.

> I never tried this, but my guess would be _no_ since it is "theirs"
> domain... Again it comes down to trust. You also have to be aware that
> domain is not a security boundary; forest is.
Yes, I knew this. I am interesting in a "border" and "level" of this
situation.

> There are quite few attacks
> against the forest possible if users have physical access to domain
> controllers even if these domain controllers are only for child domain. If
> these users are also (child) domain administrators these attacks can be
> carried out in even simpler manner. Child domain administrator could take
> ownership of the forest...
Could you outline how it could be done? My personal mail is
gera@lukrecija.lt
Is it regular way using standard tools or some type of hacking manipulating
SID history and a like?

Believe me, (if it is possible :-) I need this information very much in an
ongoing design process of a customer brand new domain structure,
not to hack someone.

Thanks a lot,

--
Gera,
Sonex Computers
MCSE
Anonymous
a b 8 Security
January 13, 2005 2:31:36 PM

Archived from groups: microsoft.public.win2000.security (More info?)

>> There are quite few attacks
>> against the forest possible if users have physical access to domain
>> controllers even if these domain controllers are only for child domain.
>> If
>> these users are also (child) domain administrators these attacks can be
>> carried out in even simpler manner. Child domain administrator could take
>> ownership of the forest...
> Could you outline how it could be done? My personal mail is
> gera@lukrecija.lt
> Is it regular way using standard tools or some type of hacking
> manipulating
> SID history and a like?

As you mention SID history it is one of the easiest ways to become
Enterprise Administrators. There are tools available that will do most of
the work for you. All you need to do is reboot the server (which would
usually require physical access to the server. It is also possible to do
this over IP switch (KVM over IP) even if you don't have physical access...)

So few things to consider when planning your domain/forest:
* Physical security of the servers (also protection of boot sequence, ...).
* If you need high(er) security of your environment (and you can't trust
your administrators) think about multiple forests and trusts between the
forests.

Using Security Identifier (SID) Filtering to Prevent Elevation of Privilege
Attacks
http://www.microsoft.com/windows2000/techinfo/administr...

--
Mike
Microsoft MVP - Windows Security
!