RE: Domain Controller Best Practice

From: Depp, Dennis M. (deppdm_at_ornl.gov)
Date: 02/23/05

  • Next message: Daniel Schmidt: "Computer accounts in NTFS permissions"
    Date: Wed, 23 Feb 2005 07:39:38 -0500
    To: Miroslaw Slawek Chorazy <mchorazy@depaul.edu>, tim.sullivan@nativemode.com, focus-ms@securityfocus.com
    
    

    I double checked my DCs and of course you are correct about users having
    the right to access this computer from the network. I guess the
    statement I am most concerned with is "as long asone knows what one is
    doing". Two many Windows admins don't know what they are doing.
    Particularly in small shops.

    Dennis

    -----Original Message-----
    From: Miroslaw Slawek Chorazy [mailto:mchorazy@depaul.edu]
    Sent: Tuesday, February 22, 2005 7:22 PM
    To: tim.sullivan@nativemode.com; Depp, Dennis M.;
    focus-ms@securityfocus.com
    Subject: RE: Domain Controller Best Practice

    >The problem with using a Domain Controller as a file server is you are
    >giving the users remote access to the machine. I.e. they have to be
    >granted the right to logon to the machine from the network.

    But Domain Controllers are Mini-File Servers of sorts because the GPO
    Policies and Scripts and what-have-you have to download to Computer and
    User at the time of startup and logon. The Right to "logon to a DC from
    Network" has to be granted to "Authenticated Users" at least.
    I don't see a problem with using Domain Controllers as File Servers as
    long as one knows what one is doing and isolates Shares to separate
    partitions and applies appropriate ACLS.
     
    Slawek

    >>> "Depp, Dennis M." <deppdm@ornl.gov> 2/22/2005 10:11 >>>
    Tim,

    I don't understand your comment "as the DC has no local security
    database, you can no longer use permission assigmentt best practice."
    Microsoft Best practice is to assign users to Global Group, assign
    Global Groups to Local Groups and assign permissions to these local
    groups. With AD, Microsoft has created Domain Local Groups. You can
    use Domain Local groups and still use Microsoft's best practices. In
    our environment, I have bee discouraging Server Local Groups in favor
    of
    Domain Local Groups for all types of permissions. This makes it
    easier
    to move resources from one machine to another.

    The problem with using a Domain Controller as a file server is you are
    giving the users remote access to the machine. I.e. they have to be
    granted the right to logon to the machine from the network. Once a
    user
    has this right, they can utilize this access to use a remote exploit
    to
    gain administrative control of the box. Of course since they have
    adminstrative control of a domain controller, they have administrative
    controll of every machine in the domain as well.

    Denny

    -----Original Message-----
    From: Sullivan Tim P [mailto:tim.sullivan@nativemode.com]
    Sent: Monday, February 21, 2005 8:22 PM
    To: focus-ms@securityfocus.com
    Subject: Domain Controller Best Practice

    I am in need of some supporting documentation relating to Domain
    Controllers.

    The situation is this. A medium sized school would like their single
    DC
    to also be a file server. This DC would be serving about 300 people,
    along with another file server and an email server.

    My initial recommendation is multiple domain controllers for the
    simple
    reason of fault tolerance of the schema. They buy this.

    However, they would like to see technical documentation saying that it
    is not a good idea to have a domain controller share roles as a DC and
    a
    file server.

    One of my main concerns, aside from load, is that high school age kids
    are using the network. They like to poke and prod. I would rather them
    not even poke at the DC. Also, as the DC has no local security
    database,
    you can no longer use permission assignment best practice. To me it
    just
    seems like a bad idea, but I need documentation to back it up.

    Can anyone offer resources to illustrate this? I am scouring technet
    and
    the MS AD deployment docs now.

    Thanks,
    Tim

     

    ______________________
    Tim Sullivan
    Nativemode Technologies
    (623) 910-4700
    tim@nativemode.com

    ------------------------------------------------------------------------

    ---
    ------------------------------------------------------------------------
    ---
    ------------------------------------------------------------------------
    ---
    ------------------------------------------------------------------------
    ---
    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    

  • Next message: Daniel Schmidt: "Computer accounts in NTFS permissions"

    Relevant Pages

    • RE: Domain Controller Best Practice
      ... >The problem with using a Domain Controller as a file server is you are ... Microsoft Best practice is to assign users to Global Group, ... Microsoft has created Domain Local Groups. ...
      (Focus-Microsoft)
    • Re: networking requirements - do I need a domain controller?!
      ... Your small network can work perfectly fine without a domain controller. ... 2K-based file server, ...
      (microsoft.public.win2000.networking)
    • Re: networking requirements - do I need a domain controller?!
      ... Jut want to be sure I understand the angles as much as possible before i go setting up a "simplified network' that could throw me into fits! ... > have an old WinNT server acting as a domain controller. ... > doen the server makes all of the network printers and the file server disappear. ...
      (microsoft.public.win2000.networking)
    • Networking shares problem!!
      ... There is a network with about 5 PC's on it connected to a router. ... Domain controller etc. ... Most of the PC's are set to workgroup MSHOME, and one PC which acts as ... All the PC's can access the share on the file server called \ ...
      (microsoft.public.windowsxp.general)
    • RE: Strange Irregular DNS/Networking Problems
      ... My network is not a complicated set up and only has one domain controller. ... problems with DNS resolving after changing DNS servers. ... I was already using the server for DHCP. ...
      (microsoft.public.windows.server.dns)