Category Archives: Role Based Administration

Trustworthy computing: non-SDL view

image

Take notice: My new feed address is now http://feed.feedcat.net/806052. Please re-subscribe.

 

Well, finally it is my time to scold Microsoft. I’m not a fun of this type of self-promotion, still I believe that the only way to move forward is to receive, process and answer some constructive criticism. So let’s begin:
Several years ago Microsoft announced its widely-known Trustworthy Computing initiative (actually they just celebrated its 10 years). I probably don’t have to remind you the goals and means for the initiative to you, they all can be found without any problems. Anyway, this letter doesn’t pretend to be some kind of thorough analysis after which I will exclaim “MS lies!” On the contrary, it is more about just trying to show that in my humble opinion something in current approach to security can be improved.
I am an IT Pro with 10+ years of experience, and this fact definitely affects how I see the World, security and Microsoft’s products regarding both of them. My recent impression of Trustworthy Computing is like that:
“SDL! SDL this! SDL that! SDL is everything and everywhere!”
Don’t get me wrong, SDL is great even from the perspective of a systems administrator who almost cannot write code. Seriously, I have the feeling that Microsoft’s code itself has become much more secure over the past years. Most of the recent vulnerabilities need me to turn off some safeguards (like DEP or UAC) or to not configure any of them in extremely hazardous environment (not turning off Server service on an Internet-facing computer). As a consequence I feel much safer than, say, 10 years ago with the products I use. Still there are some features in recent situation development that make me believe that the current SDL lacks something vital. One may ask “what exactly do you mean?” Well, it is testing in the environments, which are built according security best practices and creating not only the code which is not vulnerable, but also which provides features to implement the controls recommended by the best practices and can deliver this features without failing. Everything, literally everything starting with smart card authentication and finishing with separation of duties or delegation of access has to be incorporated into the products to build somewhat secure environment. You cannot feel secure if those who make your backups are able to restore them and configure the way they are being created, or if you have to give SQL farm administrator permissions to someone who is to make some basic job. During past several years I have been witnessing some events which made me think that those matters haven’t been in focus for some PGs at least for several years if not at all. To be not accused of making this up I’ll give you some examples from my own experience and observations.
1) When MS SharePoint Server 2007 was just released, we tried to install it in the company I worked for. Our policies required using of Constrained Kerberos Delegation, publishing of any web application through ISA server SSL bridging and all that stuff including smart card authentication. Sound requirements, aren’t they? Unfortunately, the product obviously wasn’t tested with such constraints. We stepped into multiple problems, which were solved throughout the flow of several MS Support cases. Fortunately all of them were a success. At the very least we received workarounds For example, indexing didn’t work on SSL site, and if you first created SSL site on port 443 and then extended it to the 80th port (which was to be crawled by MOSS), then indexing worked fine, but search didn’t return result. The correct sequence was to install site on the 80th port and then extend it to the 443rd. Not a big deal, one may say, but this could be detected by automatic testing in the relevant environment (BTW, this behavior was told to be in place by-design and was fixed in the following SPs 😉 ).
2) The second case which is relatively close to the SharePoint is from the people who created WebDAV. The technology is very useful, though it was again, never tested in a secure environment. Publish it through the ISA Server, require users to use their smart cards to get access to the WebDAV resource and… voila! There are your problems.
3) Smart card support really seems to be the weak point for the developers. We absolutely love to use UC products of Microsoft: Exchange and OCS/Lync. But can you use Outlook and Communicator to authenticate by certificate? Hell, no! Build a VPN channel (or DA), and then use it if you want secure communications.
4) Data Protection Manager. It is our beloved one. Being as simple yet powerful as it is, it is just charming. Still, three major releases later we didn’t have any duty separation. If I am a local administrator I can backup, restore and configure everything. If I am not a local administrator, I can almost nothing. There are some valuable exceptions, but not all we need. The latest release has RBAC in it as it was promised by PG, still, 5 years without it sucked.
5) A problem with the SQL server. In order to receive highly available solution some can use SQL Server Mirroring technology. It is great and has really saved our applications many times. But when we stepped over the boundary where we had to implement RBAC for administrative tasks we run into the following problem. Running ALTER DATABASE for any database which is in the recovery mode while having permissions lesser then administrator causes crashing of the process and dumping it into the file by default. The operation described above is very often used with a mirrored database, for example to mirror it. Again the bug was admitted but we were proposed using the administrator’s permission for the job as a workaround. The bug will be fixed in the next release they said. This bug can be costly, at least it is for us (BTW, technically it can cause DOS for the SQL server as dumps can be very large and be created very fast)
All the bugs above could have been found by testing against the environment built in accordance with the security best practices. Those features which are just absent (not bugs) could be introduced much earlier if someone really thought of secure deployment for them. Unfortunately all the examples above show that the job hasn’t been done. I would like to think that those are only individual mistakes, but if only one man (me) ran into so many of them, then I am afraid they are just the consequence of the lack of integrity in the approach of PGs to the trustworthy computing.

Speaking…

imageYep. Speaking. I’m speaking of on TechEd Russia. This time it is more than 3000 people, 150 events and so on and so forth. And I’m going to be a part of this IT feast. I’ll be delivering a session about implementing a Role Based system of infrastructure administration in MS based environment. Hopefully some of you will attend by a chance, though usually English speaking don’t visit our Russian events.

While being quite sure I did what I’m going to describe to my listeners, I’m also aware that every infrastructure has its own features and can give us very different tasks (that’s one of many things why I like to attend Ask the Expert sessions as an expert: some questions couldn’t have crossed my mind unless visitors ask them). That is why I ask your help: if you have some questions about the topic, please ask them. Probably, I’ll create the screencast basing on them.

P.S. Yes, being a speaker is one of the reasons for me to post not very regular updates to my blog for a month or two. Sorry.

Delegate permissions for creating GPO objects in other domain

imageThe task is obviously necessary to complete on your way to implementing Role-Based Administration concept. And, to be honest, being in euphoria after quick acquaintance with AGPM I thought that it was no deal at all: give an account or a group a membership in some special groups including “Group Policy Creator Owners” and voila – you’ve got it. Aha. Like hell it can succeed! =) This darn group is global and thus cannot be populated with objects from other domains. And moreover, you are unable to change the fact: everything is dimmed.

image

At least I don’t know a way to change the group’s scope (but I noted to myself to find out everything about it). So we won’t get this easy way. Will we retreat? No way. If we can’t add our object to the group, we can create other group and grant permission to the group directly. What permissions does have “Group Policy Creator Owners” group? As far as I know to create any GPO we need permissions in two places: Policies container in AD and Policies folder in sysvol. So let us delegate the permissions for the brand-new group “Role GP Creator Owners”:

1) in AD on Domain/System/Policies container:

image

image

image

image

I guess, “Create All Child Objects” is a bit overkill, and we can do better (just a guess), but the “Group Policy Creator Owners” group has these permissions, so we won’t do it worse.

2) now on a Policies folder:

image

image

That’ll do the job for us. At least at did for me, but still, I recommend to check it with support if you have it. I’ll definitely do that and fix the article if it needs it.

%SystemRoot%System32 Secrets: AzMan

To be honest, I had been thinking of it as of some unneeded tool for quite a long time before I had a close look on the console and its abilities. I was wrong. It is really powerful instrument to manage or delegate permissions for an application. It is as powerful that I’m only teasing you in this article, before creating one or more big articles about it. Imagine, you need a person to have a full control over some Hyper-V virtual machine, including the right to delete it, but the only thing he or she is not to do is creating snapshots (because those are a pain in the neck, you know). Can you create such a set of permissions? Easy! Do you want to create quite the opposite policy? You are welcome. Do you want to check a user against some complex rules, not only groups? Create your scripts for this matter. What is even more pleasant: it is very role-oriented. Thinking in terms of roles is simple and nice with the tool.

image

Ok, will tell you me, what’s the trap? Unfortunately there are not one of them. First of them: your application should be written with AzMan in mind. It is true though for many MS applications, like, say, Hyper-V or DPM. But if you use VMM, then it is almost impossible for you to use AzMan with Hyper-V. And VMM has less abilities in the field. And I don’t like the way it has them =) DPM’s AzMan is not yet broken by any “management” software, but, my gosh! It is soooo poor in its capabilities =(

Still, if you don’t use VMM, or use some other app which is compatible with AzMan then I sincere recommend you to take a look at it.

Delegating something… “I don’t see the attribute I want to delegate!”

As I have been dealing with some delegation tasks recently, I had to recall some basic stuff. Actually, it took me two occasions of “suddenly missing attributes” to get on the problem seriously and find out the fact that “filtered attributes” can be related not only to RODCs =)

So, the situation generally renders as the following: you are trying to delegate permissions for an attribute in AD through the Delegation wizard and find out that you cannot, because you don’t see the attribute in the wizard. Let me show you an example. Suppose I’m trying to delegate permissions for changing attribute emplyeeID in contact to some group. In the delegation wizard you will see the following dialog:

image

As you can see there are no employeeID checkboxes to fill in. Where are they? That’s simple enough: they are filtered out from our sight. It is done so that to ease our life, actually: there is too much of attributes for some objects, which usually are not needed. Removing them from our wizard (not only from it) makes it not so overcrowded. “But, but, but… I need it!”, you tell me. Well, no problem: let’s get the attribute back. To do so we need to make some changes to dssec.dat file in %systemroot%system32 folder (make a backup copy!). It has very simple and easy to understand structure: a section for each object we can use, which begins with [<attributename>] and ends with the beginning of the next section. For instance, the section for contact looks like the following:

image

As you can see, in the section there are lines, consisting from attribute name, “=” sign and a number. In red rectangle you see the property we cannot delegate access to. Why? Obviously it is because of number 7. What should we put in there instead? There is only three options:

  • to display both read and write options use 0
  • to display only write option use 1
  • to display only read check box use 2
  • and 7, of course will hide both options again

So, let us put here “employeeID=0” string

image

restart our ADUC console, then start Delegation wizard and:

image

Voilà!

Some extra reading:

http://support.microsoft.com/kb/296490

http://technet.microsoft.com/en-us/library/cc756087(WS.10).aspx

Delegating authority over a DNS zone

I’m back. Sorry for such a long absence: all those conferences and MVP gatherings take too much of endurance, though are very useful and pleasant. But now I’m really back and today we will delegate control over one of our DNS zones (without granting control over the whole DNS server or even AD) to, say, junior administrator. It is obvious that we can just give him necessary rights for the zone using permission tab in its properties menu:

image

but that still doesn’t give you rights to connect to your DNS server through mmc console:

image

What shall we do to give the access? Of course we can the junior admin local admin rights, but:

  1. it is a bit overkill
  2. it will give more permission for DNS than we need to give him
  3. usually DNS servers are placed on a DC, so the junior will automatically become a domain admin

So, what we need to do is to grant him Read permission to the DNS server itself:

image

And now our junior has access he needs:

image

And of course don’t grant the permissions directly: create a group, put the user in it and grant permissions to the group.