AD Security Patch

  • Thread starter Thread starter Patty Calcaterra
  • Start date Start date
P

Patty Calcaterra

All,

I have been looking for this. Does anyone know what this refers to?
And what applications this may break? Is it applied to DCs or to all
servers in a domain/forest? Is it specific to W2K or to W2K3 as well?

I have no more details other than the name is "AD Security Patch."

Thanks!

Patty
 
Patty said:
All,

I have been looking for this. Does anyone know what this refers to?
And what applications this may break? Is it applied to DCs or to all
servers in a domain/forest? Is it specific to W2K or to W2K3 as well?

I have no more details other than the name is "AD Security Patch."
Click to expand...

I don't know anything about such download
 
Thanks. I was looking for a sanity check. Anyone else heard of some
sort of mystical AD Security Patch?
 
Patty said:
Thanks. I was looking for a sanity check. Anyone else heard of some
sort of mystical AD Security Patch?
Click to expand...

Do You know what sort of problems this "mythical" patch is resolving?
 
It is supposed to secure AD. I myself have never heard of such a
thing. Ever. However, the company also says it has broken other
applications, which makes me assume that the it is applied to all
servers and not just DCs. I am currently involved in deploying Unity
and they AD folks are concerned that their AD patch is going to cause
issues.

Now, I have asked the AD folks for more details but....heaven help me
for saying this....they are not very bright but extremely defensive and
think they know everything. I had to explain LDIF to them for all
their knowledge, though....

So, with this in mind, before I question them some more, I wanted
confirmation that this really existed. I did a dump on their patches
and none of them said "AD Security Patch". Heh. However, when pushed,
they said that ws the name of it and they had regrets for implementing
it.
 
Patty said:
It is supposed to secure AD. I myself have never heard of such a
Click to expand...
(...)

I think that they don't know what they are talking about. There was no
security patch in last few months targeting spepcific Active Directory
and there was no patch with pourpose of AD hardening.

If they had some problems probably they run into some problems after one
of security patches but not AD specific.
 
Try this...

Have them review the checklists from here and see if they can pinpoint what
they are referring to:
http://TownsendOneMedia.com/BulletInBlue/

Some problematic patches that I've seen affect AD-environments:
http://www.microsoft.com/technet/security/bulletin/ms05-011.mspx (SMB)
http://www.microsoft.com/technet/security/bulletin/ms05-027.mspx (SMB)
http://www.microsoft.com/technet/security/bulletin/ms05-019.mspx (TCP/IP -
lot of problems with this. See the caveats section for a # of issues and
post-hotfixes, especially 898060).

If you are referring to Cisco Unity, their supported patch list is here:
http://www.cisco.com/en/US/products...cts_device_support_table09186a008020a63e.html

Another sneaking suspicion I have is when they refer to 'secure AD' is they
may have attempted to use one of the security templates from the NSA or MS:
http://www.microsoft.com/downloads/...93-147A-4481-9346-F93A4081EEA8&displaylang=en

http://www.nsa.gov/snac/downloads_win2000.cfm?MenuID=scg10.3.1.1

These templates can break a ton things if not reviewed VERY carefully.

Other than that, tell their AD guru's they aren't guru's if they can't give
you a name other than 'AD Security Patch'. They should know better that all
patches are KB or Bulletins #'s. Coax the # out of them by telling them that
the MS06-099 is the fix for their problems. If they say "YES!", their
morons. If they say "No, it's ____", bingo, there's the number you need. :~>
 
Heh, I will present the first three articles to them. These may be
handy. I need to review the patches they have installed versus these
articles you mention tomorrow. All I got from them is that the patch
broke some "stuff" but they couldn't really define the "stuff".

Regarding the Security Templates, that was the FIRST thing I thought
about when they said "Secure AD." So, I asked them if they did any
tweaks on their policies and I got a bunch of head scratching and then
a vehement NO! It's a patch! After speaking to them, I am thinking
that mentioning the NSA security docs would get some more head
scratching. And if it is in my power, they will never EVER know that
GPOs exist or that you can use them to secure more "stuff." They are
sweet boys and although a secure environment would be grand, it would
be like giving em beer and cattle prods.

Anyhow, I totally agree about these policies breaking a lot of things.
The hisec ones are really fun :-).

Snort-snort! MS06-099! I need to try that one! However, I already
know these fellas aren't gurus...I would call em goobs, sweet, gentle,
and clueless goobs. Heh.

I will keep ya posted on the findings.

Thanks again and thanks for the post, GeeB! I will forward the Patch
List on to them. I can trust them with that...policies are another
matter. :-)

Regards,

Patty
 
Well, it appears they did have some of these "problematic" patches
installed, especially the second one (MS05-027). I reassured them that
this would not impact Unity, though. They were impressed that there
was more a name than AD Security Patch, too :-)...

Anyhow, we are a go extending the schema tonight.

Thanks again and your help was very much appreciated!

Regards,

Patty
 
Red

append the previous domain for a 'morse'al with:

-.. --- .-- -. .-.. --- .- -.. -..-. -- .--. .-.-.- .- ... .--.


A/C/R/E/C
 
Back
Top