* RPC vulnerability and securing Active Directory
On the heels of last week’s newsletter about the new Remote Procedure Call (RPC) vulnerability found in most 32-bit Windows operating systems (see links below), NetPro CTO Gil Kirkpatrick reminded me that he is hosting a Web seminar this Friday that’s very relevant. The seminar was planned long before the RPC vulnerability came to light.
“Secure Active Directory Design: Protecting Your Directory from Attack,” will be presented at 8:00 a.m. PDT (4:00 p.m. GMT) and should last 90 minutes. Of course, the seminar has been updated to reflect the new security problem and the first item covered will be “RPC vulnerability and how it can affect Active Directory.” Head over to https://www.netpro.com/welcome/seminars to sign up for this and other upcoming online talks.
While you’re at the NetPro site, you should also take a look at its Active Directory security monitoring and intrusion detection tool, DirectoryLockdown. This software protects Active Directory’s configuration and schema Naming Contexts from unauthorized changes made with or without malicious intent (i.e., it’ll protect against fumble fingered administrators just as well as malicious hackers).
While Active Directory isn’t the only area vulnerable to the RPC exploit, it is a place where malicious hackers would like to get to in order to either create new administrative accounts, increase the privileges of an existing account or to simply attempt to steal data and hack into accounts.
As was revealed just last week (https://lasecpc13.epfl.ch/ntcrack/), many Windows passwords can be cracked using a brute force dictionary attack in a matter of seconds. Once the malicious intruder either has access to an administrator’s account, or has set up a new account with all rights and privileges the entire network is open for his or her perusal including business critical data, proprietary information and personal details.
DirectoryLockdown works with the administrative policies you set to not only monitor activity but also prevent the spread of erroneous or malicious information. DirectoryLockdown can be configured to immediately notify appropriate personnel of intrusions while preventing further damage to the enterprise by disabling replication to and from the compromised domain controller and then shutting it down. DirectoryLockdown also provides a special recovery utility that allows enterprise administrators to restore the domain controller quickly and easily following an attack – or an innocent misconfiguration.
Malicious attacks across the public network do occur, but malicious activity from inside the firewall, as well as innocent but potentially catastrophic, mistakes cause a lot more problems, data loss and administrative hair loss than outside attacks. You need to protect yourself against all of these.




