http://msmvps.com/blogs/dns/archive/tags/Active+Directory/default.aspxTags: Active DirectoryenCommunityServer 2008.5 SP2 (Build: 40407.4157)http://msmvps.com/blogs/dns/archive/2005/10/27/73230.aspxFri, 28 Oct 2005 03:07:00 GMTd67277c4-116b-43f1-b688-e9ef184ea916:73230james0http://msmvps.com/blogs/dns/rsscomments.aspx?PostID=73230http://msmvps.com/blogs/dns/archive/2005/10/27/73230.aspx#commentsThis could also be "How to confuse and confound yourself in the name of security." I am now working on an automated security package that lets users deploy XP Pro and Server 2003 in a standardized baseline. The premise is to: <br></br> <list> <li>Patch the system (up to date of package release)</li> <li>Apply local security templates (you get the option of member server or DC for WS2003 builds)</li> <li>Install approved and licensed apps for machine via option menu</li> </list> <br></br> Now, this has been going on for about 18 months now, and the project was missing a strong technical person, particularly on the server portion. Well, enough people confused me for that person that I am now handling this. We have to base the security measures on things like IAVAs (patches and specific settings required by DISA, a government agency) and security templates including settings from STIGs (also by DISA). The goal is to have a very secure platform before you connect to the network. <br></br> The only problem with this, is that you break stuff. Lots of stuff. It took another contractor engineer, an MS consultant (Joe, or as I call him "Spaghetti Western"), and myself a couple of days to get enough settings adjusted to get the Management Point installed. Now, we are still having issues with clients reporting their status even though the client is installed. <br></br> We had other quirks such as: <br></br> <list> <li>NTVDM error when installing SQL server (you need to adjust your temp path to something like "C:\Temp" that doesn't exceed 8.3 naming convention)</li> <li>Terminal Services connectivity (didn't realize that the hi-sec recommendation from MS was to specifically deny "Everyone" via local policy)</li> <li>MP installation issues (hotfix needed from PSS)</li> <li>SMS Trace is <i>awesome</i> </list> <br></br> So, my question to you is what do you guys do for security standardization? We have security templates and settings all over the place, and it has been fun shaping GPOs to fix these settings for a given role.<div style="clear:both;"></div><img src="http://msmvps.com/aggbug.aspx?PostID=73230" width="1" height="1">Active Directoryhttp://msmvps.com/blogs/dns/archive/2005/03/05/37681.aspxSat, 05 Mar 2005 22:18:00 GMTd67277c4-116b-43f1-b688-e9ef184ea916:37681james4http://msmvps.com/blogs/dns/rsscomments.aspx?PostID=37681http://msmvps.com/blogs/dns/archive/2005/03/05/37681.aspx#commentsBy default, Active Directory does not require the use of reverse lookup zones to validate clients. The primary function of AD DNS is to permit the lookup of clients, services, and the all-valuable DC GUIDs for inter-DC communication. <P></P>Spiffy. <P></P>However, it appears that not everybody likes this. Now, I will be the first to admit that I don't read all of the RFCs for a given protocol or spec. OK, I will also admit that I like to lie about reading anything regarding RFCs, and in fact have better luck reading nutrition information from KFC. <P></P>The problem appears to be that certain protocols and connection methodologies just love reverse lookups. The most commonly seen implementation is with email servers. You can perform a reverse lookup on the incoming mail server connection to see if it is what it claims to be. But there are other uses for this. If you try connecting Apple OS X clients to your AD you might be greeted with various issues if you don't have a reverse lookup zone configured. In addition, I have seen some implementations of IPSec using this (although my implementations haven't needed this, that I can tell, but I always create reverse lookup zones in forests I own). <P></P>Swell. <P></P>So, why does this matter? I mean, it's easy to create one of these and manage it, right? Well, yes and no. If you have a typical network of less than 200 machines, then you are probably running a single Class C and therefore no problem. However, when you get up to 2,000 or 3,000 systems it begins to be problematic. Stretch this to a level that I design for (about 400,000 or so) in one country, well there begins to be a problem. If you manage just the backbone of AD, then you own the root and all child domain DCs, and you at least know what networks they are on. Yet, you <B>know</B> that a directory of this size means you will have several subnets per site, and you have to keep on top of them. The first step is, obviously, creating subnet objects and putting them into your sites definitions. While that's great, you would still need to manage a great deal of reverse lookup zones for every forward lookup zone. This would be classified as "not fun." I just figured I would bounce off all my fans out there (that's right, both of you, when you sober up that is) to see what you guys do.<div style="clear:both;"></div><img src="http://msmvps.com/aggbug.aspx?PostID=37681" width="1" height="1">Active DirectoryDNS