Service Administrator Object
Protection
Microsoft Windows 2000 AD onwards employs an automated mechanism for enforcing the integrity of the ACL on key service administrator objects. This process ensures accidental or deliberate modification of the access controls on the objects cannot be made. The background process runs on the Primary Domain Controller Emulator in each domain and checks and applies a standard security descriptor on all protected objects. This process ensures that the integrity of the objects cannot be compromised as any change to the ACL of the account is overwritten with a known state. The process starts 15 minutes after the system starts and then continues to check every 30 minutes after that. The refresh interval is not user configurable.
Microsoft Windows 2000 AD onwards employs an automated mechanism for enforcing the integrity of the ACL on key service administrator objects. This process ensures accidental or deliberate modification of the access controls on the objects cannot be made. The background process runs on the Primary Domain Controller Emulator in each domain and checks and applies a standard security descriptor on all protected objects. This process ensures that the integrity of the objects cannot be compromised as any change to the ACL of the account is overwritten with a known state. The process starts 15 minutes after the system starts and then continues to check every 30 minutes after that. The refresh interval is not user configurable.
| Object | Scope |
| Enterprise Admins | Forest |
| Schema Admins | Forest |
| Administrators | Domain |
| Domain Admins | Domain |
| Server Operators | Domain |
| Backup Operators | Domain |
| Administrator | DS Restore Mode |
| Account Operators | Domain |
| Print Operators | Domain |
| Replicator | Domain |
The
security descriptor template that is applied to these accounts is stored as the
security descriptor attribute of the AdminSDHolder object which is stored in
the following location:
CN=AdminSDHolder,
CN=System, DC=DomainName
The security descriptor on the AdminSDHolder object controls access to the object itself and acts as the master security descriptor to be applied to the service administrative groups and the members to remain as protected.
Care should be taken when modifying the security descriptor of the AdminSDHolder object as any changes will be cascaded to all objects that are part of the protected object process, namely the objects defined in the above Table
No comments:
Post a Comment