RE: Domain Controller Best Practice - Thanks!
From: Sullivan Tim P (tim.sullivan_at_nativemode.com)
Date: 02/25/05
- Previous message: Ryosuke Katsumata: "Prohibit Folder Compression"
- Maybe in reply to: Sullivan Tim P: "RE: Domain Controller Best Practice - Thanks!"
- Next in thread: Murtland, Jerry: "RE: Domain Controller Best Practice - Thanks!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 24 Feb 2005 16:07:26 -0700 To: "Murtland, Jerry" <MurtlandJ@Grangeinsurance.com>, <focus-ms@securityfocus.com>
You don't need to convince me, if it were up to me these would go on
separate boxes.
My client does not feel they have the resources to dedicate two systems
to be nothing but domain controllers. While I have convinced them
otherwise, my original intent was to get supporting documentation on
this belief.
While I feel I got the needed information, I also did not really find
anything saying something to the effect of 'Do not make your DC a file
server'.
Since it is being brought up though, how would having a file share on a
separate drive using NTFS place the DC at a greater risk, assuming all
else is equal? This is purely devils advocate at this point BTW.
Thanks,
Tim
-----Original Message-----
From: Murtland, Jerry [mailto:MurtlandJ@Grangeinsurance.com]
Sent: Thursday, February 24, 2005 2:00 PM
To: Sullivan Tim P; focus-ms@securityfocus.com
Subject: RE: Domain Controller Best Practice - Thanks!
I don't think I've heard anyone say that "you are not creating a real
security risk by allowing your DC to also function as a file server".
In fact you are. All user authentication is occurring on this system.
User ID's and Passwords for your entire organization are stored here in
the SAM file. I would consider this a substantial risk to any IT
infrastructure.
Risk is measured in degrees proportionate to security controls in place.
When you allow 'typical' users to access sensitive servers (especially
an infrastructure server), you increase the risk of this system being
compromised and your network being exploited. Now, you can lower that
risk by taking certain measures, it would be up to you to determine what
those measures are. However, if it doesn't cost you anything to rebuild
your DC and recreate your user base (backup), then the level of risk is
also lowered. However, in most cases, time does have a value, and the
data contained on a system should also. You also have to look at it
from a liability perspective. If the data were compromised, how could
it affect our organization?
There are four things you can do with the risk that you have assessed:
Accept, Reject, Transfer, or Ignore.
You really need to evaluate your environment to assess your options.
Jerry J. Murtland, CISSP
-----Original Message-----
From: Sullivan Tim P [mailto:tim.sullivan@nativemode.com]
Sent: Wednesday, February 23, 2005 11:41 PM
To: focus-ms@securityfocus.com
Subject: RE: Domain Controller Best Practice - Thanks!
Thanks to everyone for replies on the DC configuration. I got a number
of good links.
I would summarize the dialog and what I found through reading as this:
It would be *best practice* to limit the roles a DC has, however you are
not creating a real security risk by allowing your DC to also function
as a file server.
________________________
Tim Sullivan
Nativemode Technologies
623.910.4700
tim@nativemode.com
________________________________
From: Sullivan Tim P [mailto:tim.sullivan@nativemode.com]
Sent: Mon 2/21/2005 6:21 PM
To: focus-ms@securityfocus.com
Subject: Domain Controller Best Practice
I am in need of some supporting documentation relating to Domain
Controllers.
The situation is this. A medium sized school would like their single DC
to also be a file server. This DC would be serving about 300 people,
along with another file server and an email server.
My initial recommendation is multiple domain controllers for the simple
reason of fault tolerance of the schema. They buy this.
However, they would like to see technical documentation saying that it
is not a good idea to have a domain controller share roles as a DC and a
file server.
One of my main concerns, aside from load, is that high school age kids
are using the network. They like to poke and prod. I would rather them
not even poke at the DC. Also, as the DC has no local security database,
you can no longer use permission assignment best practice. To me it just
seems like a bad idea, but I need documentation to back it up.
Can anyone offer resources to illustrate this? I am scouring technet and
the MS AD deployment docs now.
Thanks,
Tim
______________________
Tim Sullivan
Nativemode Technologies
(623) 910-4700
tim@nativemode.com
------------------------------------------------------------------------
--- ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- Previous message: Ryosuke Katsumata: "Prohibit Folder Compression"
- Maybe in reply to: Sullivan Tim P: "RE: Domain Controller Best Practice - Thanks!"
- Next in thread: Murtland, Jerry: "RE: Domain Controller Best Practice - Thanks!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
