RE: Domain Controller Best Practice - Thanks!
From: Frank Knobbe (frank_at_knobbe.us)
To: "Murtland, Jerry" <MurtlandJ@Grangeinsurance.com> Date: Sat, 26 Feb 2005 21:59:40 -0600
On Thu, 2005-02-24 at 16:00 -0500, Murtland, Jerry wrote:
> I don't think I've heard anyone say that "you are not creating a real
> security risk by allowing your DC to also function as a file server". In
> fact you are. All user authentication is occurring on this system. User
> ID's and Passwords for your entire organization are stored here in the SAM
> file. I would consider this a substantial risk to any IT infrastructure.
But you wouldn't be sharing the "SAM file" now, would you?
Aside from availability/load issues, what security risks are really
present? You have a Domain Controller in your network. Network
authentication is possible/exposed one way or another. One the other
hand, you have a simple file server service files via a share point. Why
can't the domain controller also be sharing files? (Again, focus on
security, not availability concerns. For this example, assume that hosts
has oodles of CPU power and bandwidth, and the share is located on a
separate dive from the AD data.)
Could you please outline some attack vectors that you would not have on
a layout using two servers (one for authentication and one for file
sharing)? Remember, we're talking access to file shares, not local logon
Thanks in advance,
- application/pgp-signature attachment: This is a digitally signed message part