Is it possible to prevent ownership replacing in a forest?

[Guest]

Situation: a forest consisting of a root domain and a child domain, all with
Win2003.
Is it possible to prevent admins from a child domain to do some tasks or
replace ownership to their own in the child domain?

Simple example: I create a folder on a child domain's DC and want to leave
access to only Enterprise Admins from root domain. I set all the perms, take
ownership to Ent. admins., but child domain's admin still easily can re-take
ownership and change ACL.

Is it possible to solve?

Thanks,
Gera

 

[Miha Pihler [MVP]]

Hi Gera,

one option would be to run a script using

Takeown

tool that comes with Windows 2003. It can assign ownership to another user
and therefore prevent user that created this folder to take ownership in the
future.

I hope this helps.

 

[Gera]

And even the child domain's admin will be unable to take ownership?
Is it really so?

I am concerned only in "protection from dom. admins"....

 

[Miha Pihler [MVP]]

Hi,

Yes, you are right; administrators will always be able to take ownership of
the folders.

In this case, you might want to thing about EFS. If setup correctly it can
protect information from administrators in child domain.

I know this is easier said then done but domain administrators (even in
child domain) should be trusted person -- or should not be a domain
administrator.

 

[Gera]

Yes, I felt that...
Thanks for make me sure.

What about Group Policy, created in the root domain and linked to in the
child?
By default, child dom. admins can't edit, but can delete link.
Is it the same situation or it is possible to restrict this?

 

[Miha Pihler [MVP]]

What about Group Policy, created in the root domain and linked to in the
child?
By default, child dom. admins can't edit, but can delete link.
Is it the same situation or it is possible to restrict this?

I never tried this, but my guess would be _no_ since it is "theirs"
domain... Again it comes down to trust. You also have to be aware that
domain is not a security boundary; forest is. There are quite few attacks
against the forest possible if users have physical access to domain
controllers even if these domain controllers are only for child domain. If
these users are also (child) domain administrators these attacks can be
carried out in even simpler manner. Child domain administrator could take
ownership of the forest...

So if you don't trust your domain administrators think about removing these
permissions from them and assigning (delegating) them only permissions that
they need for their work.

Feel free to post back if you need more information...

 

[Joe Richards [MVP]]

Admin access is god access, you can not prevent them from doing things on the
boxes they are admin on.

joe

 

[Steve Riley [MSFT]]

This is what separate forests are for. If you truly believe these domain
administrators are people who you can't fully trust, then your first choice
should be to replace these people.

If you can't do that, then your other choice is to create a separate *forest*.
This is the only way you can keep their actions isolated from the rest of
your environment. You also must not allow these people to have physical access
to the domain controllers of the rest of your environment, either.

Steve Riley
(e-mail address removed)

 

[Gera]

Thank for reply.

I never tried this, but my guess would be _no_ since it is "theirs"
domain... Again it comes down to trust. You also have to be aware that
domain is not a security boundary; forest is.

Yes, I knew this. I am interesting in a "border" and "level" of this
situation.

There are quite few attacks
against the forest possible if users have physical access to domain
controllers even if these domain controllers are only for child domain. If
these users are also (child) domain administrators these attacks can be
carried out in even simpler manner. Child domain administrator could take
ownership of the forest...

Could you outline how it could be done? My personal mail is
(e-mail address removed)
Is it regular way using standard tools or some type of hacking manipulating
SID history and a like?

Believe me, (if it is possible I need this information very much in an
ongoing design process of a customer brand new domain structure,
not to hack someone.

Thanks a lot,

 

[Miha Pihler [MVP]]

There are quite few attacks

Could you outline how it could be done? My personal mail is
(e-mail address removed)
Is it regular way using standard tools or some type of hacking
manipulating
SID history and a like?

As you mention SID history it is one of the easiest ways to become
Enterprise Administrators. There are tools available that will do most of
the work for you. All you need to do is reboot the server (which would
usually require physical access to the server. It is also possible to do
this over IP switch (KVM over IP) even if you don't have physical access...)

So few things to consider when planning your domain/forest:
* Physical security of the servers (also protection of boot sequence, ...).
* If you need high(er) security of your environment (and you can't trust
your administrators) think about multiple forests and trusts between the
forests.

Using Security Identifier (SID) Filtering to Prevent Elevation of Privilege
Attacks
http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp