Doesn't seem very secure, but would like to hear another opinion. As I said before, I just need to be able to join servers to the domain from the DMZ and utilize the private AD Domain for authentication and application access. My suggestion would be dedicated forests for DMZ would be viable option considering the no of application you have in DMZ.
MVP-Directory Services. You would want to allow communication to more than an single RWDC for redundancy reasons. Using server core makes sense - as long as you don't need functionality that's not supported on it. It is better for security reasons. I recommend filtering attributes that you don't want them to be replicated to RODCs for security reasons. For Security reasons, I recommend using IPSec tunnels if possible and making sure that the traffic is encrypted.
Yes, this is possible. Allowing communication with one RWDC should be enough. I recommend allowing communication with at least two RWDCs for redundancy. For ports check article I provided. They should be opended in both directions. You can use both options. You have just to choose one. For joining, make sure that your servers are pointing to the correct DNS server as primary DNS server and that the needed ports I provided are opended.
You can choose one of them. With this information, we can determine which RODCs have account passwords stored on them. The next step is identifying ways to gain access to the RODC with interesting account passwords stored on it.
One way to do this is to go after accounts with local admin rights on the RODC. Interestingly enough, we often find a mix of lower level accounts user accounts along with server admin accounts in RODC admin groups.
This provides an interesting escalation path of its own since the best practice is to enable the RODC admin group account passwords are cached on the RODC. This configuration typically results in most domain accounts having stored passwords on RODC s.
While the password stored on the RODC may not be the current one, this is still a risk. There is another way though. An administrator can pre-populate account passwords on a RODC if those accounts are allowed to be cached.
The RODC seems to track each authentication and password separately. Using PowerShell, we can remove the initial string of characters shown before the account distinguished name so that only the account Distinguished Name is displayed and remove duplicates. This list of accounts have their passwords stored on the RODC. This list includes users and computer accounts which means if we can gain admin access to the RODC, we can steal these credentials and use them.
The computer password hash can be used to create Silver Tickets to gain full admin rights on the computer. If we have admin accounts in this list, we can leverage this access to jump to other systems.
Compromising one of these accounts provides an escalation path to gaining access that accounts with stored passwords have. There also may be service account credentials on the RODC, especially if they are delegated rights to Active Directory without using the default AD administration groups which is a best practice. Any service accounts with privileged rights should be added to a group which is configured to prevent member account passwords from being cached on RODCs.
This account is not a member of any group. Control of this one account provides full control on accounts and groups in the domain. So, by gaining access to the RODC, we now have full control of accounts and groups as well as admin rights to all servers in the Servers OU through the ability to modify the Server Admins group membership.
There are a couple of errors though. We can only forge useful Kerberos tickets against a RODC if the service tickets we will be requesting have the associated service account passwords cached computer or user accounts. And then the target account service has to have its associated Kerberos service account password cached on the RODC.
Once the Silver Tickets are generated and passed into memory, we can view these tickets in klist. Once all the Silver Tickets are generated and are in memory, we can connect to the Admin server using PowerShell remoting or any other available service supporting Kerberos authentication. Microsoft has a good write-up on ensuring the DSRM password changes. Its possible values are:. Since it is possible to pass-the-hash for the DSRM account, why not leverage this access to pull password data for any domain account using Mimikatz DCSync.
This enables an attacker to retain Domain Controller admin rights when all domain user and computer passwords are changed. The only true mitigation for this issue is to ensure the DSRM account passwords are unique for every Domain Controller and are changed regularly at least as often as other account passwords.
In its default configuration, Read-Only Domain Controllers can provide Domain services to a location without potentially risking the entire domain. The RODC can be configured to cache user and computer passwords to enable local authentication of these users.
The ability of a RODC to act like a Domain Controller is extremely useful and there are scenarios where it may make sense to allow any account password to be cached. I improve security for enterprises around the world working for TrimarcSecurity. Information Security Stack Exchange is a question and answer site for information security professionals.
It only takes a minute to sign up. Connect and share knowledge within a single location that is structured and easy to search. I do not like that the servers will have direct communication with my Active Directory, so I consider installing a Read-Only Domain Controller that replicate the real one.
It seems like there are security benefits with RODC only when it is not physical secure - no passwords are cached, if someone steals it, they still cannot modify the real AD or find the credentials to do so. RODCs really are all about physcial security, and not at all about network security. They're an upgrade of ye olde Backup Domain Controllers, that had a nasty tendency to get stolen and the database along with it. RODCs come with a unique kbtgt account, so they can't intrude on Active Directory, or decipher kerberos tickets on behalf of WDCs, in case of a physical breach, and by default RODCs don't allow password caching, again in case of a physical breach.
By restricting cached credentials, to only user and computer accounts belonging to a branch office, you limit the fallout in case of a breach, and you allow the branch office to continue functioning in case of a link down. You'll have to audit every single one of your AD integrated applications to ensure that it supports working with a RODC. Because there are still many scenarios that RODCs simply do not support. Certain RPC calls can and will simply fail without reason.
When a user or application in a site that is serviced by an RODC attempts to perform a write operation, one of the following actions can occur:. Microsoft released an article about putting domain controllers in the DMZ which proves an interesting read. Many believe that many internet-facing proprietary MS products can be exposed the internet with minimal risk such as Exchange which is why they discontinued TMG, however you'll need to address the requirements for a DC in the DMZ in your own environment.
The MS Document is here , and certainly worth a read to ensure you're covering all your bases. Sign up to join this community. The best answers are voted up and rise to the top. Stack Overflow for Teams — Collaborate and share knowledge with a private group. Create a free Team What is Teams?
0コメント