Investigations into Active Directory Replication Using RPC
Just a quickie...
I have been running Windows 2003 AD and GC (Global Replication) traffic through protocol analysers. The results so far:
- General replication data is not encrypted. Though the data looks scrambled in a protocol analyser, it is just compressed.
- Password data is poorly encrypted. It seems to be using a 56bit RC4 key (and it is possible that it is only 40bit).
- Site replication send sensitive user data in the clear (compressed).
- Statistical data paterns clearly show the data to not be encrypted. There are clear distributions that match the original data distributions.
- This includes SYSVOL data.
More to follow...