J
Javier J
INFOSEC/NACOSA sec. templates and EXPANDING the AD SChema?
Hi all!
Through a set of circumstances too long to mention, I have been tasked
with testing our company software in a domain hardened as per the
INFOSEC NACOSA 2.1 templates (ICN DC.inf, ICN Domain.inf,
InfosecCmdNS_srv_Ver2.1.inf / InfosecCmdNS_ws_Ver2.1.inf...)
The issue is, when the operating system is set up according to the
templates (as per the dc_w2ksec_install.doc - "COMPUSEC Technical and
Implementation Directive for Security Settings for Windows 2000 Domain
Controllers" ver 1.1, 15.Aug.2002), when I try to expand the AD schema
(using the Administrator account, that is a member of the Schema
Administrators Group), I get a security error stating that the account
can't do that.
IF I expand the AD Schema _before_ I set up all the templates, our
application runs just fine, but I need to know which are the settings
(if any) that are interfering with expanding the AD Schema, in order
to "see" how to revert them if possible, what is the impact of doing
so, etc etc.
I've been trying to find more info on the issue, but the web page that
the doc. refers to for further information
(http://cww.infosec.nato.int/compusec/Win2k_security/w2k_security.htm)
is not avaliable, and I haven't been able to find its "successor".
So, I'd be more than grateful if anybody with relevant knoweldge would
care to enlighten me. Maybe I'm not supposed to expand de AD Schema
FROM the DC? Maybe there is some security setting I have to tweak?...
I've found a page at microsoft that tells: "How to Reset User Rights
in the Default Domain Controllers Group Policy Object"
(http://support.microsoft.com/?id=267553), but I'm quite reluctant to
use such a "shotgun" approach.
Any and all help will be appreciate to an inordinate extent.
Thanks a lot for reading this far.
Javier J
Hi all!
Through a set of circumstances too long to mention, I have been tasked
with testing our company software in a domain hardened as per the
INFOSEC NACOSA 2.1 templates (ICN DC.inf, ICN Domain.inf,
InfosecCmdNS_srv_Ver2.1.inf / InfosecCmdNS_ws_Ver2.1.inf...)
The issue is, when the operating system is set up according to the
templates (as per the dc_w2ksec_install.doc - "COMPUSEC Technical and
Implementation Directive for Security Settings for Windows 2000 Domain
Controllers" ver 1.1, 15.Aug.2002), when I try to expand the AD schema
(using the Administrator account, that is a member of the Schema
Administrators Group), I get a security error stating that the account
can't do that.
IF I expand the AD Schema _before_ I set up all the templates, our
application runs just fine, but I need to know which are the settings
(if any) that are interfering with expanding the AD Schema, in order
to "see" how to revert them if possible, what is the impact of doing
so, etc etc.
I've been trying to find more info on the issue, but the web page that
the doc. refers to for further information
(http://cww.infosec.nato.int/compusec/Win2k_security/w2k_security.htm)
is not avaliable, and I haven't been able to find its "successor".
So, I'd be more than grateful if anybody with relevant knoweldge would
care to enlighten me. Maybe I'm not supposed to expand de AD Schema
FROM the DC? Maybe there is some security setting I have to tweak?...
I've found a page at microsoft that tells: "How to Reset User Rights
in the Default Domain Controllers Group Policy Object"
(http://support.microsoft.com/?id=267553), but I'm quite reluctant to
use such a "shotgun" approach.
Any and all help will be appreciate to an inordinate extent.
Thanks a lot for reading this far.
Javier J
