RE: Domain Controller Best Practice
From: Depp, Dennis M. (deppdm_at_ornl.gov)
Date: 02/22/05
- Previous message: Sullivan Tim P: "Domain Controller Best Practice"
- Maybe in reply to: Sullivan Tim P: "Domain Controller Best Practice"
- Next in thread: John Fellers: "RE: Domain Controller Best Practice"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 22 Feb 2005 11:11:12 -0500 To: Sullivan Tim P <tim.sullivan@nativemode.com>, focus-ms@securityfocus.com
Tim,
I don't understand your comment "as the DC has no local security
database, you can no longer use permission assigmentt best practice."
Microsoft Best practice is to assign users to Global Group, assign
Global Groups to Local Groups and assign permissions to these local
groups. With AD, Microsoft has created Domain Local Groups. You can
use Domain Local groups and still use Microsoft's best practices. In
our environment, I have bee discouraging Server Local Groups in favor of
Domain Local Groups for all types of permissions. This makes it easier
to move resources from one machine to another.
The problem with using a Domain Controller as a file server is you are
giving the users remote access to the machine. I.e. they have to be
granted the right to logon to the machine from the network. Once a user
has this right, they can utilize this access to use a remote exploit to
gain administrative control of the box. Of course since they have
adminstrative control of a domain controller, they have administrative
controll of every machine in the domain as well.
Denny
-----Original Message-----
From: Sullivan Tim P [mailto:tim.sullivan@nativemode.com]
Sent: Monday, February 21, 2005 8:22 PM
To: focus-ms@securityfocus.com
Subject: Domain Controller Best Practice
I am in need of some supporting documentation relating to Domain
Controllers.
The situation is this. A medium sized school would like their single DC
to also be a file server. This DC would be serving about 300 people,
along with another file server and an email server.
My initial recommendation is multiple domain controllers for the simple
reason of fault tolerance of the schema. They buy this.
However, they would like to see technical documentation saying that it
is not a good idea to have a domain controller share roles as a DC and a
file server.
One of my main concerns, aside from load, is that high school age kids
are using the network. They like to poke and prod. I would rather them
not even poke at the DC. Also, as the DC has no local security database,
you can no longer use permission assignment best practice. To me it just
seems like a bad idea, but I need documentation to back it up.
Can anyone offer resources to illustrate this? I am scouring technet and
the MS AD deployment docs now.
Thanks,
Tim
______________________
Tim Sullivan
Nativemode Technologies
(623) 910-4700
tim@nativemode.com
------------------------------------------------------------------------
--- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- Previous message: Sullivan Tim P: "Domain Controller Best Practice"
- Maybe in reply to: Sullivan Tim P: "Domain Controller Best Practice"
- Next in thread: John Fellers: "RE: Domain Controller Best Practice"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
