Security Basics mailing list archives
Least privilege vs Windows server security
From: "Dan Lynch" <DLynch () placer ca gov>
Date: Thu, 12 Jul 2007 11:47:47 -0700
Greetings list, I'm looking for opinions on an issue of contention in our organization. Our enterprise is made up of two networks - one for general government departments, and another for law enforcement related departments. The users, Windows file servers, and MS Exchange servers of both networks are members of the same MS Active Directory domain. A file server, an Exchange server, and a domain controller sit on each network. The LE network requires stronger data security measures as it also includes non-member servers that hold highly sensitive data. These are the crown jewels, and the LE network is therefore behind a firewall from our general government network The entire system is in production and running with a few administrative and functional limitations. We've tried to follow the principle of least privilege when allowing server-to-server communication across the firewall. We've attempted to enumerate all services necessary for Active Directory replication, and at the firewall accommodate only those protocols from the general government servers to the LE servers. This has proven difficult, especially when addressing RPC-style services. Certain administrative scripts that make WMI calls, resulting in RPC communications won't run. Also, connections to the LE servers for drive mappings, RDP, and other administrative protocols are restricted to specific general government network addresses. All this amounts to some hardship for Windows server administrators. Their position is that all communications between servers should be allowed. They argue that if the general government domain controller is "owned", no firewall restrictions will prevent an attacker from having his way with the LE server. In their view, the principle of least privilege is nonsense. Instead, a restriction is only justified if a specific benefit can be enumerated. I'm not quite sure how to answer them, and would appreciate any input on this subject. In practice, what specific scenarios justify the restrictions we've placed on communications between these servers? Philosophically, what logical arguments support the principle of least privilege in the environment I've described? Thanks for your input, Dan Lynch, CISSP Information Technology Analyst County of Placer Auburn, CA
Current thread:
- Least privilege vs Windows server security Dan Lynch (Jul 13)
- RE: Least privilege vs Windows server security Ackley, Alex (Jul 13)
- RE: Least privilege vs Windows server security Scott Ramsdell (Jul 16)
- <Possible follow-ups>
- Re: Least privilege vs Windows server security rmbarnesusa (Jul 13)
- RE: Least privilege vs Windows server security dave kleiman (Jul 17)
- Re: Least privilege vs Windows server security Bill Stout (Jul 23)