Kiss me, I’m secure!

This could also be “How to confuse and confound yourself in the name of security.” I am now working on an automated security package that lets users deploy XP Pro and Server 2003 in a standardized baseline. The premise is to:

  • Patch the system (up to date of package release)
  • Apply local security templates (you get the option of member server or DC for WS2003 builds)
  • Install approved and licensed apps for machine via option menu

  • Now, this has been going on for about 18 months now, and the project was missing a strong technical person, particularly on the server portion. Well, enough people confused me for that person that I am now handling this. We have to base the security measures on things like IAVAs (patches and specific settings required by DISA, a government agency) and security templates including settings from STIGs (also by DISA). The goal is to have a very secure platform before you connect to the network.

    The only problem with this, is that you break stuff. Lots of stuff. It took another contractor engineer, an MS consultant (Joe, or as I call him “Spaghetti Western”), and myself a couple of days to get enough settings adjusted to get the Management Point installed. Now, we are still having issues with clients reporting their status even though the client is installed.

    We had other quirks such as:

  • NTVDM error when installing SQL server (you need to adjust your temp path to something like “C:\Temp” that doesn’t exceed 8.3 naming convention)
  • Terminal Services connectivity (didn’t realize that the hi-sec recommendation from MS was to specifically deny “Everyone” via local policy)
  • MP installation issues (hotfix needed from PSS)
  • SMS Trace is awesome

    So, my question to you is what do you guys do for security standardization? We have security templates and settings all over the place, and it has been fun shaping GPOs to fix these settings for a given role.

  • I’m back…

    OK, so it’s been awhile but I am going to try this again.  Current topics include:

    • AD (given)

    • VMware (no longer using Virtual Server) ESX and Workstation

    • Autocross

    • Other

    I just switched contracts and I am now working on an automated deployment platform for pushing out common security and application baseline of Windows XP Pro and Windows Server 2003.  I am using VMware ESX 2.5.2 right now on Compaq DL580G2 boxes.  As I get more time, I will try to cover more DNS/AD issues.

    Do you use reverse lookup zones?

    By default, Active Directory does not require the use of reverse lookup zones to validate clients. The primary function of AD DNS is to permit the lookup of clients, services, and the all-valuable DC GUIDs for inter-DC communication.


    However, it appears that not everybody likes this. Now, I will be the first to admit that I don’t read all of the RFCs for a given protocol or spec. OK, I will also admit that I like to lie about reading anything regarding RFCs, and in fact have better luck reading nutrition information from KFC.

    The problem appears to be that certain protocols and connection methodologies just love reverse lookups. The most commonly seen implementation is with email servers. You can perform a reverse lookup on the incoming mail server connection to see if it is what it claims to be. But there are other uses for this. If you try connecting Apple OS X clients to your AD you might be greeted with various issues if you don’t have a reverse lookup zone configured. In addition, I have seen some implementations of IPSec using this (although my implementations haven’t needed this, that I can tell, but I always create reverse lookup zones in forests I own).


    So, why does this matter? I mean, it’s easy to create one of these and manage it, right? Well, yes and no. If you have a typical network of less than 200 machines, then you are probably running a single Class C and therefore no problem. However, when you get up to 2,000 or 3,000 systems it begins to be problematic. Stretch this to a level that I design for (about 400,000 or so) in one country, well there begins to be a problem. If you manage just the backbone of AD, then you own the root and all child domain DCs, and you at least know what networks they are on. Yet, you know that a directory of this size means you will have several subnets per site, and you have to keep on top of them. The first step is, obviously, creating subnet objects and putting them into your sites definitions. While that’s great, you would still need to manage a great deal of reverse lookup zones for every forward lookup zone. This would be classified as “not fun.” I just figured I would bounce off all my fans out there (that’s right, both of you, when you sober up that is) to see what you guys do.

    So, who am I?

    Hi there, I am James Carter, and I am a Windows Server MVP in Directory Services. Basically, I am an Active Directory geek. I am a moderator at both and (a.k.a. “clutch”), and I am an AD engineer/contractor (Subject Matter Expert, Enterprise Directory Services) for the US Army. My plan for this blog is to be a diary mostly of things I come up with at work, or things that can just simply make AD/DNS deployment easier.

    In addition, I am a BIG fan of virtualization and use MS Virtual Server 2005 on several machines in our lab (hosting about 10 forests) and I use VMware workstation/ESX server in other environments. I have been working on methods to allow hosting of many “virtual” subnets on these servers and plan on passing configuration information to anyone reading this as well.

    As for other topics that will probably show up here, I love my 2002 Subaru Impreza 2.5 RS that I autocross in (G/S right now, can’t afford STS). I also cycle (road and mountain) here in Arizona, and do some part-time consulting and might be making the move into teaching. Above all, my favorite way to kill time is with my wife and daughter, both of which like “spirited” driving and cycling as well.

    Well, on with the show…