Russ.CooperRC.ON.CA

• Next message: R. Michael Williams: "Re: Profiles/Policies: Beware the Registry Size (fwd)"
• Previous message: Luke Kenneth Casson Leighton: "Re: Using rpcclient or samedit to randomise trust account passwords"
• Maybe in reply to: Colman, Clem: "Audit of domain user verification"
• Next in thread: Jesper M. Johansson: "Re: Audit of domain user verification"
• Maybe reply: Russ: "Re: Audit of domain user verification"
• Reply: Jesper M. Johansson: "Re: Audit of domain user verification"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>This goes counter to the C2 requirements, or the Common Criteria (CC)

I wouldn't agree. Fact is, all of the actions are auditable and I don't
believe C2 puts a limitation on the environment that it must be "centrally
auditable", does it? It still requires Administrative privilege to disable
auditing (or remove the logs) from a Workstation.

>In terms of the CC, if the domain is the target of evaluation, it should
>be capable of monitoring accesses to objects it protects. I don't think
>you could make an argument that a member workstation is not an object
>protected by the domain. Thus, this kind of access must be monitored
>at the domain level if the domain concept is to pass C2 evaluation.

And it is monitored. Further, as the KB article explains, the PDC is aware
of the actions it just doesn't normally show them in the PDC event logs
(until the policy is violated...lockout).

There's also the consideration that the policy is what is being protected.
If someone is able to usurp the policy, then I'd say you have something
there...but in this case the policy remains effective by virtue of the fact
that a lockout will occur (and be logged at the PDC) if the policy is
violated.

IMHO, getting a password wrong at logon is not a policy violation.

http://support.microsoft.com/support/kb/articles/q185/9/52.asp

points out that there is a window of opportunity to usurp the bad logon
count, due to the fact that the count is maintained on the each BDC for any
given account, and only replicated up to the PDC when the count is exceeded
(i.e., a lockout needs to occur), at which point the PDC then replicates
that fact (the lockout) to all BDCs. The time it takes for all of this to
happen could give an attacker the opportunity to try the same userID against
different DCs (they'd have to craft the attack to target resources that use
different BDCs for authentication, not easily done but possible).

http://support.microsoft.com/support/kb/articles/q219/8/98.asp

gives a more detailed explanation of the differing effects caused by
different logon methods.

Now one might argue that this is a C2 issue.

Cheers,
Russ - NTBugtraq Editor

------------------------------------------------------------------------
Delivery co-sponsored by Trend Micro, Inc.:

http://www.antivirus.com/neatsuite.htm

ScanMail for Microsoft Exchange
* Stops viruses from spreading through Exchange Servers.
* Eliminates viruses from email in real time, even unknown macro viruses
* Filters spam (unsolicited junk email).
* Sends customized virus warning messages to specific parties and admins
* Remote installation and management via web or ScanMail's Windows GUI
------------------------------------------------------------------------

• Next message: R. Michael Williams: "Re: Profiles/Policies: Beware the Registry Size (fwd)"
• Previous message: Luke Kenneth Casson Leighton: "Re: Using rpcclient or samedit to randomise trust account passwords"
• Maybe in reply to: Colman, Clem: "Audit of domain user verification"
• Next in thread: Jesper M. Johansson: "Re: Audit of domain user verification"
• Maybe reply: Russ: "Re: Audit of domain user verification"
• Reply: Jesper M. Johansson: "Re: Audit of domain user verification"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]