RE: Domain Controller Best Practice
From: Depp, Dennis M. (deppdm_at_ornl.gov)
Date: 02/23/05
- Previous message: Marc Fossi: "SecurityFocus Microsoft Newsletter #229"
- Maybe in reply to: Sullivan Tim P: "Domain Controller Best Practice"
- Next in thread: Matthew S Barnes: "Re: Domain Controller Best Practice"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 23 Feb 2005 07:39:38 -0500 To: Miroslaw Slawek Chorazy <mchorazy@depaul.edu>, tim.sullivan@nativemode.com, focus-ms@securityfocus.com
I double checked my DCs and of course you are correct about users having
the right to access this computer from the network. I guess the
statement I am most concerned with is "as long asone knows what one is
doing". Two many Windows admins don't know what they are doing.
Particularly in small shops.
Dennis
-----Original Message-----
From: Miroslaw Slawek Chorazy [mailto:mchorazy@depaul.edu]
Sent: Tuesday, February 22, 2005 7:22 PM
To: tim.sullivan@nativemode.com; Depp, Dennis M.;
focus-ms@securityfocus.com
Subject: RE: Domain Controller Best Practice
>The problem with using a Domain Controller as a file server is you are
>giving the users remote access to the machine. I.e. they have to be
>granted the right to logon to the machine from the network.
But Domain Controllers are Mini-File Servers of sorts because the GPO
Policies and Scripts and what-have-you have to download to Computer and
User at the time of startup and logon. The Right to "logon to a DC from
Network" has to be granted to "Authenticated Users" at least.
I don't see a problem with using Domain Controllers as File Servers as
long as one knows what one is doing and isolates Shares to separate
partitions and applies appropriate ACLS.
Slawek
>>> "Depp, Dennis M." <deppdm@ornl.gov> 2/22/2005 10:11 >>>
Tim,
I don't understand your comment "as the DC has no local security
database, you can no longer use permission assigmentt best practice."
Microsoft Best practice is to assign users to Global Group, assign
Global Groups to Local Groups and assign permissions to these local
groups. With AD, Microsoft has created Domain Local Groups. You can
use Domain Local groups and still use Microsoft's best practices. In
our environment, I have bee discouraging Server Local Groups in favor
of
Domain Local Groups for all types of permissions. This makes it
easier
to move resources from one machine to another.
The problem with using a Domain Controller as a file server is you are
giving the users remote access to the machine. I.e. they have to be
granted the right to logon to the machine from the network. Once a
user
has this right, they can utilize this access to use a remote exploit
to
gain administrative control of the box. Of course since they have
adminstrative control of a domain controller, they have administrative
controll of every machine in the domain as well.
Denny
-----Original Message-----
From: Sullivan Tim P [mailto:tim.sullivan@nativemode.com]
Sent: Monday, February 21, 2005 8:22 PM
To: focus-ms@securityfocus.com
Subject: Domain Controller Best Practice
I am in need of some supporting documentation relating to Domain
Controllers.
The situation is this. A medium sized school would like their single
DC
to also be a file server. This DC would be serving about 300 people,
along with another file server and an email server.
My initial recommendation is multiple domain controllers for the
simple
reason of fault tolerance of the schema. They buy this.
However, they would like to see technical documentation saying that it
is not a good idea to have a domain controller share roles as a DC and
a
file server.
One of my main concerns, aside from load, is that high school age kids
are using the network. They like to poke and prod. I would rather them
not even poke at the DC. Also, as the DC has no local security
database,
you can no longer use permission assignment best practice. To me it
just
seems like a bad idea, but I need documentation to back it up.
Can anyone offer resources to illustrate this? I am scouring technet
and
the MS AD deployment docs now.
Thanks,
Tim
______________________
Tim Sullivan
Nativemode Technologies
(623) 910-4700
tim@nativemode.com
------------------------------------------------------------------------
--- ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- Previous message: Marc Fossi: "SecurityFocus Microsoft Newsletter #229"
- Maybe in reply to: Sullivan Tim P: "Domain Controller Best Practice"
- Next in thread: Matthew S Barnes: "Re: Domain Controller Best Practice"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
