Best Way to Share a Secret String Between Member Servers?

Best Way to Share a Secret String Between Member Servers?
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Best Way to Share a Secret String Between Member Servers? Will 02-07-2007
Posted by Will on February 7, 2007, 12:20 am
If you were  Registered and logged in, you could reply and use other advanced thread options
I am looking at issues around having each computer do its own backups using
the native Windows backup application to a file server.

Rather than having a custodial domain account used by the computers, and
with that all of the hassles of dealing with how to secure the password, I
am wondering if there is a way to do the DACL permissions to the target
share / file system based on just authentication by Windows domain system of
the target computer itself. Could you put the machine object of the
computer doing the backup into the DACL of the target share\folder-path, and
then run the backup process as SYSTEM on the client computer?

I did try this as an experiment and the scheduled task refused to run.
That could be a problem with the implementation or with the theory, and
that's why I am checking.

--
Will



Posted by Will on February 7, 2007, 1:11 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Sorry, posted that too early and left out the part that generated the
subject line for the thread.

If we must use a domain account of a user and specify a password, in order
to use a share, is there a way to encrypt a string on a member server such
that it could only be decrypted by a specific target member server? What
are the best options for sharing text you want to keep secret between member
servers?

--
Will


> I am looking at issues around having each computer do its own backups
using
> the native Windows backup application to a file server.
>
> Rather than having a custodial domain account used by the computers, and
> with that all of the hassles of dealing with how to secure the password, I
> am wondering if there is a way to do the DACL permissions to the target
> share / file system based on just authentication by Windows domain system
of
> the target computer itself. Could you put the machine object of the
> computer doing the backup into the DACL of the target share\folder-path,
and
> then run the backup process as SYSTEM on the client computer?
>
> I did try this as an experiment and the scheduled task refused to run.
> That could be a problem with the implementation or with the theory, and
> that's why I am checking.
>
> --
> Will
>
>



Posted by Roger Abell [MVP] on February 7, 2007, 1:25 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Will,

Within a domain, the System account (or the Network Service account),
when going off-box to other domain machines, is the Machinename$
domain account of that machine.
Your scheduled task is perhaps having other issues.
To test access to the share as System, try doing a simple access either
in a startup/shutdown script or via a cmd prompt obtained for System.
I would suggest that you consider doing the scheduled NTbackup job
so that it writes to local disk, and then copy this out to remote in a
separate task.

Roger
> Sorry, posted that too early and left out the part that generated the
> subject line for the thread.
>
> If we must use a domain account of a user and specify a password, in order
> to use a share, is there a way to encrypt a string on a member server such
> that it could only be decrypted by a specific target member server?
> What
> are the best options for sharing text you want to keep secret between
> member
> servers?
>
> --
> Will
>
>
>> I am looking at issues around having each computer do its own backups
> using
>> the native Windows backup application to a file server.
>>
>> Rather than having a custodial domain account used by the computers, and
>> with that all of the hassles of dealing with how to secure the password,
>> I
>> am wondering if there is a way to do the DACL permissions to the target
>> share / file system based on just authentication by Windows domain system
> of
>> the target computer itself. Could you put the machine object of the
>> computer doing the backup into the DACL of the target share\folder-path,
> and
>> then run the backup process as SYSTEM on the client computer?
>>
>> I did try this as an experiment and the scheduled task refused to run.
>> That could be a problem with the implementation or with the theory, and
>> that's why I am checking.
>>
>> --
>> Will
>>
>>
>
>



Posted by Joe Richards [MVP] on February 7, 2007, 9:41 am
If you were  Registered and logged in, you could reply and use other advanced thread options
I agree with Roger here, this is something I have done in the past with
LocalSystem. Create and schedule a CMD script which launches NTBackup
from the command line and once completed copies the file to a remote
machine. This should work fine as LocalSystem assuming you are in an
Active Directory domain.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


Roger Abell [MVP] wrote:
> Will,
>
> Within a domain, the System account (or the Network Service account),
> when going off-box to other domain machines, is the Machinename$
> domain account of that machine.
> Your scheduled task is perhaps having other issues.
> To test access to the share as System, try doing a simple access either
> in a startup/shutdown script or via a cmd prompt obtained for System.
> I would suggest that you consider doing the scheduled NTbackup job
> so that it writes to local disk, and then copy this out to remote in a
> separate task.
>
> Roger
>> Sorry, posted that too early and left out the part that generated the
>> subject line for the thread.
>>
>> If we must use a domain account of a user and specify a password, in order
>> to use a share, is there a way to encrypt a string on a member server such
>> that it could only be decrypted by a specific target member server?
>> What
>> are the best options for sharing text you want to keep secret between
>> member
>> servers?
>>
>> --
>> Will
>>
>>
>>> I am looking at issues around having each computer do its own backups
>> using
>>> the native Windows backup application to a file server.
>>>
>>> Rather than having a custodial domain account used by the computers, and
>>> with that all of the hassles of dealing with how to secure the password,
>>> I
>>> am wondering if there is a way to do the DACL permissions to the target
>>> share / file system based on just authentication by Windows domain system
>> of
>>> the target computer itself. Could you put the machine object of the
>>> computer doing the backup into the DACL of the target share\folder-path,
>> and
>>> then run the backup process as SYSTEM on the client computer?
>>>
>>> I did try this as an experiment and the scheduled task refused to run.
>>> That could be a problem with the implementation or with the theory, and
>>> that's why I am checking.
>>>
>>> --
>>> Will
>>>
>>>
>>
>
>

Posted by Will on February 7, 2007, 9:47 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
> I agree with Roger here, this is something I have done in the past with
> LocalSystem. Create and schedule a CMD script which launches NTBackup
> from the command line and once completed copies the file to a remote
> machine. This should work fine as LocalSystem assuming you are in an
> Active Directory domain.

Just curious if you and Roger have an opinion on this. If a Windows 2000
computer is running a Scheduled Task in LocalSystem context, and it fails
authentication at start of the Scheduled Task (Event ID 529), would that
indicate that Secure Channel to the domain controller is broken, or more of
a local policy issue?

I assume LocalSystem is automatically added to the Log on as a batch job
User Privilege, and in our domain policy I see SYSTEM included to that
privelege anyway (I guess it won't hurt to be explicit about including it).
Perhaps mandatory NTLM2 authentication isn't working correctly. In any
case, things are working great for Windows 2003 member servers.

--
Will



Similar ThreadsPosted
How do I restrict users from joing member servers to my domain May 1, 2006, 6:02 am
Port 21 open during nmap scans of Domain Controllers & Member Servers January 13, 2006, 5:57 pm
Decrypting a small byte string w/ CryptDecrypt December 22, 2007, 1:10 pm
Re: Secret Windows In IE?? June 25, 2005, 2:05 am
Re: passwords/secret questions change?? June 28, 2005, 9:29 am
RE: passwords/secret questions change?? June 28, 2005, 7:17 am
Implementing security for a "very secret document" November 2, 2007, 9:21 am
Secret Sector Backdoor / Security Breach October 21, 2007, 2:11 pm
Secret Sector Backdoor / Security Breach October 21, 2007, 2:11 pm
necesary to use IPSec between dc and member? September 4, 2005, 11:17 pm

The site map in XML format XML site map

Contact Us | Privacy Policy