locked
Management Point Connection Account Vulnerability RRS feed

  • Question

  • I understand that for an MP in a remote DMZ untrusted AD forest situation I must use the Site System Installation Account. I would also be inclined to use the "Require the site server to initiate connections to this site system" for added security.

    Also the MP must use the Management Point Connection Account to connect to the site database. This account would be denied interactive logon rights at the domain level.

    1. Can someone confirm that the remote MP will initiate it's own connection to the site database using the MP Connection Account creds? If true then the "Require site server initiation" setting doesn't affect the MP -> DB traffic, correct?

    2. I assume the MP Connection Account is stored somewhere on the remote MP. If the remote MP gets compromised, is there a chance that the MP Connection Account could be used maliciously? (however limitedly)

    I'm trying to get buy in to use this model but security folks are curious about how inter AD communication is handled and looking for vulnerabilities.

    Thanks! J

    Thursday, February 11, 2016 4:53 PM

Answers

  • For number 2, yes, it's stored in the registry and both the password and account name are encrypted.

    Any compromised account can be used maliciously so limiting where this account can authentication could increase your security posture if you are concerned about this account. Added logging or monitoring around this account is also in order if you are concerned with it being compromised.


    Jason | http://blog.configmgrftw.com | @jasonsandys

    • Marked as answer by JoelDB Thursday, February 11, 2016 5:56 PM
    Thursday, February 11, 2016 5:39 PM
  • 1. The remote MP will always start the communication to the DB using the account provided. Yes that setting doesn't affect the talk to the DB but it means that the site system (primary site) will be the one pushing the data to this MP.

    2. no clue about this one. my guess is that you must find the info in the DB (primary site is aware of the account) and on the MP (probably hash and hidden).

    The communication between the AD is keep to a minimum.

    The MP when he talk to the SQL he present himself with the account and the local SQL server validate the right.

    The site system when he talk to the MP/DP he present the account and the local MP/DP validate the right.

    If you have some publishing in AD the account you have specified will be given to the domain controller and he will validate the right.

    If you have some discovery it's a simple LDAP query that will provide the account that was given in the Active directory forest section for that forest.

    SO the 2 AD never talk to each other. The server that perform the request provide the credential and the server in the forest will validated the credential himself.

    • Marked as answer by JoelDB Thursday, February 11, 2016 5:56 PM
    Thursday, February 11, 2016 5:30 PM

All replies

  • 1. The remote MP will always start the communication to the DB using the account provided. Yes that setting doesn't affect the talk to the DB but it means that the site system (primary site) will be the one pushing the data to this MP.

    2. no clue about this one. my guess is that you must find the info in the DB (primary site is aware of the account) and on the MP (probably hash and hidden).

    The communication between the AD is keep to a minimum.

    The MP when he talk to the SQL he present himself with the account and the local SQL server validate the right.

    The site system when he talk to the MP/DP he present the account and the local MP/DP validate the right.

    If you have some publishing in AD the account you have specified will be given to the domain controller and he will validate the right.

    If you have some discovery it's a simple LDAP query that will provide the account that was given in the Active directory forest section for that forest.

    SO the 2 AD never talk to each other. The server that perform the request provide the credential and the server in the forest will validated the credential himself.

    • Marked as answer by JoelDB Thursday, February 11, 2016 5:56 PM
    Thursday, February 11, 2016 5:30 PM
  • For number 2, yes, it's stored in the registry and both the password and account name are encrypted.

    Any compromised account can be used maliciously so limiting where this account can authentication could increase your security posture if you are concerned about this account. Added logging or monitoring around this account is also in order if you are concerned with it being compromised.


    Jason | http://blog.configmgrftw.com | @jasonsandys

    • Marked as answer by JoelDB Thursday, February 11, 2016 5:56 PM
    Thursday, February 11, 2016 5:39 PM
  • Thanks for the quick replies guys!
    Thursday, February 11, 2016 5:57 PM