Security Basics: Re: Least privilege vs Windows server security

[Bill Stout <billbrietstout () yahoo com>]

I'm not sure that the firewall buys you much. You have one administrative domain which spans a firewall, and one side 
has more sensitive info. Domain resources can be enumerated from the less secure side, and password guessing can be 
done from the less secure side. 

Maybe the firewall blocks direct network access to specific law resources, but it does nothing for indirect methods 
which don't require a direct network path (such as through mapped drives or user shell commands sent to accessible 
servers to access blocked server resources). I'm not sure how you're referring to 'Least Privilege' in the context of a 
Microsoft environment. In a Microsoft environment even the scheduler can escalate your privileges: open a command 
window and open your task manager - you'll see the process tab show cmd.exe running as you (with limited privileges). 
In your command window type 'at 19:21 /interactive cmd.exe' (instead of 19:21 add a minute to your current time). After 
the new command window pops up, task manager will show the second command window is running with SYSTEM privilege. You 
can do this on remote computers as well. 

Possibly you might want to consider making each side a separate sub-domain (isolate user accounts into their own OUs). 
Also you may want to consider using gateway devices instead of a firewall (reverse proxies, OWA, etc). You can choose 
to treat the sites as separate Internet sites, and use SMTP for Exchange, and helo instead of ehelo. This would be 
helpful if one of the groups moved to a different building or city. 

I believe I'm agreeing with the other responses but with different verbage. 

Bill Stout 


----- Original Message ---- 
From: Dan Lynch <DLynch () placer ca gov> 
To: security-basics () securityfocus com; firewalls () securityfocus com 
Sent: Thursday, July 12, 2007 11:47:47 AM 
Subject: Least privilege vs Windows server security 


Greetings list, 

I'm looking for opinions on an issue of contention in our organization. 
Our enterprise is made up of two networks - one for general government 
departments, and another for law enforcement related departments. 

The users, Windows file servers, and MS Exchange servers of both 
networks are members of the same MS Active Directory domain. A file 
server, an Exchange server, and a domain controller sit on each network. 
The LE network requires stronger data security measures as it also 
includes non-member servers that hold highly sensitive data. These are 
the crown jewels, and the LE network is therefore behind a firewall from 
our general government network 

The entire system is in production and running with a few administrative 
and functional limitations. We've tried to follow the principle of least 
privilege when allowing server-to-server communication across the 
firewall. We've attempted to enumerate all services necessary for Active 
Directory replication, and at the firewall accommodate only those 
protocols from the general government servers to the LE servers. This 
has proven difficult, especially when addressing RPC-style services. 
Certain administrative scripts that make WMI calls, resulting in RPC 
communications won't run. 

Also, connections to the LE servers for drive mappings, RDP, and other 
administrative protocols are restricted to specific general government 
network addresses. 

All this amounts to some hardship for Windows server administrators. 
Their position is that all communications between servers should be 
allowed. They argue that if the general government domain controller is 
"owned", no firewall restrictions will prevent an attacker from having 
his way with the LE server. In their view, the principle of least 
privilege is nonsense. Instead, a restriction is only justified if a 
specific benefit can be enumerated. 

I'm not quite sure how to answer them, and would appreciate any input on 
this subject. 

In practice, what specific scenarios justify the restrictions we've 
placed on communications between these servers? 

Philosophically, what logical arguments support the principle of least 
privilege in the environment I've described? 

Thanks for your input, 

Dan Lynch, CISSP 
Information Technology Analyst 
County of Placer 
Auburn, CA