RE: Domain Controller Best Practice

From: Miroslaw Slawek Chorazy (mchorazy_at_depaul.edu)
Date: 02/23/05

Next message: Marc Fossi: "SecurityFocus Microsoft Newsletter #229"

Previous message: John Fellers: "RE: Domain Controller Best Practice"
Maybe in reply to: Sullivan Tim P: "Domain Controller Best Practice"
Next in thread: Depp, Dennis M.: "RE: Domain Controller Best Practice"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 22 Feb 2005 18:22:06 -0600
To: <tim.sullivan@nativemode.com>, <deppdm@ornl.gov>, <focus-ms@securityfocus.com>

>The problem with using a Domain Controller as a file server is you are
>giving the users remote access to the machine. I.e. they have to be
>granted the right to logon to the machine from the network.

But Domain Controllers are Mini-File Servers of sorts because the GPO
Policies and Scripts and what-have-you have to download to Computer and
User at the time of startup and logon. The Right to "logon to a DC from
Network" has to be granted to "Authenticated Users" at least.
I don't see a problem with using Domain Controllers as File Servers as
long as one knows what one is doing and isolates Shares to separate
partitions and applies appropriate ACLS.

Slawek

>>> "Depp, Dennis M." <deppdm@ornl.gov> 2/22/2005 10:11 >>>
Tim,

I don't understand your comment "as the DC has no local security
database, you can no longer use permission assigmentt best practice."
Microsoft Best practice is to assign users to Global Group, assign
Global Groups to Local Groups and assign permissions to these local
groups. With AD, Microsoft has created Domain Local Groups. You can
use Domain Local groups and still use Microsoft's best practices. In
our environment, I have bee discouraging Server Local Groups in favor
of
Domain Local Groups for all types of permissions. This makes it
easier
to move resources from one machine to another.

The problem with using a Domain Controller as a file server is you are
giving the users remote access to the machine. I.e. they have to be
granted the right to logon to the machine from the network. Once a
user
has this right, they can utilize this access to use a remote exploit
to
gain administrative control of the box. Of course since they have
adminstrative control of a domain controller, they have administrative
controll of every machine in the domain as well.

Denny

-----Original Message-----
From: Sullivan Tim P [mailto:tim.sullivan@nativemode.com]
Sent: Monday, February 21, 2005 8:22 PM
To: focus-ms@securityfocus.com
Subject: Domain Controller Best Practice

I am in need of some supporting documentation relating to Domain
Controllers.

The situation is this. A medium sized school would like their single
DC
to also be a file server. This DC would be serving about 300 people,
along with another file server and an email server.

My initial recommendation is multiple domain controllers for the
simple
reason of fault tolerance of the schema. They buy this.

However, they would like to see technical documentation saying that it
is not a good idea to have a domain controller share roles as a DC and
a
file server.

One of my main concerns, aside from load, is that high school age kids
are using the network. They like to poke and prod. I would rather them
not even poke at the DC. Also, as the DC has no local security
database,
you can no longer use permission assignment best practice. To me it
just
seems like a bad idea, but I need documentation to back it up.

Can anyone offer resources to illustrate this? I am scouring technet
and
the MS AD deployment docs now.

Thanks,
Tim

______________________
Tim Sullivan
Nativemode Technologies
(623) 910-4700
tim@nativemode.com

------------------------------------------------------------------------

---
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------

Next message: Marc Fossi: "SecurityFocus Microsoft Newsletter #229"

Previous message: John Fellers: "RE: Domain Controller Best Practice"
Maybe in reply to: Sullivan Tim P: "Domain Controller Best Practice"
Next in thread: Depp, Dennis M.: "RE: Domain Controller Best Practice"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: Domain Controller Best Practice
... Microsoft Best practice is to assign users to Global Group, ... Microsoft has created Domain Local Groups. ... The problem with using a Domain Controller as a file server is you are ... you can no longer use permission assignment best practice. ...
(Focus-Microsoft)
RE: Domain Controller Best Practice
... >granted the right to logon to the machine from the network. ... Microsoft has created Domain Local Groups. ... The problem with using a Domain Controller as a file server is you are ...
(Focus-Microsoft)
RE: Domain Controller Best Practice - Thanks!
... Domain Controller Best Practice - Thanks! ... I have no problems using a DC as a file server in small to mid size ... I would consider this a substantial risk to any IT infrastructure. ...
(Focus-Microsoft)
RE: Domain Controller Best Practice - Thanks!
... Subject: Domain Controller Best Practice ... to also be a file server. ... They like to poke and prod. ...
(Focus-Microsoft)
RE: Large number of Branch Offices - Q
... I'll stick with the domain controller requirement ... "Local shadow accounts on the member file server with dual permissions" ... file server in event of a wan outage. ... The IT team here assumed that local file access from a member server would ...
(microsoft.public.windows.server.active_directory)