Escalate privileges possible on DC?

[Guest]

We currently have about 200 domains in a single forest. This spans about 100 countries.
One of our concerns with this design is that an administrator in one domain can gain access to other domains (gaining enterprise admin rights). As far as I understand it, local system, local administrators, and any domain account with server operator privileges can do this if they have access to a DC

First off, is it true that this attack is possible
Secondly, what are you experiences with other setups (multiple forests, a single, large domain etc.)?

TIA

- JH

 

[Keith W. McCammon]

We currently have about 200 domains in a single forest. This spans about
100 countries.

One of our concerns with this design is that an administrator in one

domain can gain access to other domains (gaining enterprise admin rights).
As far as I understand it, local system, local administrators, and any
domain account with server operator privileges can do this if they have
access to a DC.

First off, is it true that this attack is possible?

It depends on a number of things. Regardless of forest association,
domain-specific admin groups should only include those accounts that are
authorized to manage those domains. If you have company.com and
1.company.com, 2.company.com, etc., 1 and 2 (assuming children) normally
wouldn't have any management rights to company.com, although it can
certainly be permitted, if set up that way.

Secondly, what are you experiences with other setups (multiple forests, a

single, large domain etc.)?

Just what I've alluded to above. On a domain basis, you should be
explicitly assigning admin rights to those who require it, and no more. If
anyone has rights to another domain for which they are not authorized,
that's an implementation issue.

As far as gaining access to a domain from a physical DC, there are two
issues at play:

1) Improperly assigned/managed group membership across trusted domains
2) Lack of physical access controls

Number two is very important. I could walk in off the street, with no user
account on any of you networks, and eventually gain some type of access to
sensitive information if left alone with a physical DC. If someone you
don't trust has physical access to your DC, it's not your DC.

 

[Guest]

I have heard roumor of a virus attack in the past that bumps up the user rights to admin right
but it would have to be run from your network not out in the public sector

 

[Steven L Umbach]

In a forest there are transitive trusts between all the domains. However just because
someone has access to a domain controller in a domain does not mean they can
compromise another domain UNLESS it is the root domain which is where the enterprise
admins group is. What makes the root domain special is that it contains the
enterprise admins group which is in the administrators group of every domain in the
forest. Of course anyone gaining access to a domain controller can compromise the
domain for that domain controller and possibly other domains if the domain they
compromise has users that have administrative powers in other domains.

One strategy if an organization wants to keep a single forest is to use an empty root
domain that only contains the administrator which would also be a member of the
enterprise administrator. That domain's domain controllers would need to then be very
secure physically and only a few key people would know the password keeping it secure
in a safe. --- Steve

http://www.winnetmag.com/Article/ArticleID/23521/23521.html --- empty root domain.

We currently have about 200 domains in a single forest. This spans about 100 countries.
One of our concerns with this design is that an administrator in one domain can

gain access to other domains (gaining enterprise admin rights). As far as I
understand it, local system, local administrators, and any domain account with server
operator privileges can do this if they have access to a DC.