Re: Share Point?
From: Bronek Kozicki (brok_at_rubikon.pl)
Date: 05/10/03
- Previous message: Brian W. Spolarich: "RE: Share Point?"
- In reply to: Matt Andreko: "RE: Share Point?"
- Next in thread: John Davis: "RE: Share Point?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Matt Andreko" <mandreko@ori.net>, "'Roberts Phillip (IBM)'" <phillip.roberts@thomson.net>, "'Derek Schaible'" <dschaible@cssiinc.com>, <focus-ms@securityfocus.com> Date: Sat, 10 May 2003 12:22:11 +0200
Matt Andreko <mandreko@ori.net> wrote:
> Going with that, do you really want your anonymous users visiting your
> domain controller? If the machine gets compromised, the user has
> domain
> privileges. This negates all the security, unless it's a domain
> controller for a domain with 0 clients.
If AD is being used only locally by IIS server, is not connected to any
other computer (nor used by internal services or anything inside or
outside DMZ, nor connected to some domain tree) , then LocalSystem
priviledges can't be propagated to other computers. In such situation
there's no difference between compromised AD and compromised SAM.
Moreover, AD delivers some mechanics which can lower risk of machine
compromise (GPO, Kerberos authentication etc.). I know it sounds
strange, but if IIS server is logically isolated from the outside world
(including other servers in DMZ) i DO recommend setting up AD on it.
LocalRoot compromise can not do more harm (compared to situation when
server has SAM only) because it's used only locally on this computer,
but can be better prevented. Of course in perfect world you would have
separate IIS (maybe load balancing cluster) and AD controler(s), all in
DMZ .
B.
-----------------------------------------------------------------------------
FastTrain has your solution for a great CISSP Boot Camp. The industry`s most
recognized corporate security certification track, provides a comprehensive
prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization
of pertinent security tools. For a limited time you can enter for a chance
to win one of the latest technological innovations, the SEGWAY HT.
Log onto http://www.securityfocus.com/FastTrain-focus-ms
------------------------------------------------------------------------------
- Previous message: Brian W. Spolarich: "RE: Share Point?"
- In reply to: Matt Andreko: "RE: Share Point?"
- Next in thread: John Davis: "RE: Share Point?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
