RE: Domain Controller Best Practice - Thanks!

From: Frank Knobbe (frank_at_knobbe.us)
Date: 02/27/05

  • Next message: Johnson, Jared: "RE: Terminal Services - Domain Controller - Normal User"
    To: "Murtland, Jerry" <MurtlandJ@Grangeinsurance.com>
    Date: Sat, 26 Feb 2005 21:59:40 -0600
    
    
    

    On Thu, 2005-02-24 at 16:00 -0500, Murtland, Jerry wrote:
    > I don't think I've heard anyone say that "you are not creating a real
    > security risk by allowing your DC to also function as a file server". In
    > fact you are. All user authentication is occurring on this system. User
    > ID's and Passwords for your entire organization are stored here in the SAM
    > file. I would consider this a substantial risk to any IT infrastructure.

    But you wouldn't be sharing the "SAM file" now, would you?

    Aside from availability/load issues, what security risks are really
    present? You have a Domain Controller in your network. Network
    authentication is possible/exposed one way or another. One the other
    hand, you have a simple file server service files via a share point. Why
    can't the domain controller also be sharing files? (Again, focus on
    security, not availability concerns. For this example, assume that hosts
    has oodles of CPU power and bandwidth, and the share is located on a
    separate dive from the AD data.)

    Could you please outline some attack vectors that you would not have on
    a layout using two servers (one for authentication and one for file
    sharing)? Remember, we're talking access to file shares, not local logon
    access.

    Thanks in advance,
    Frank

    
    



  • Next message: Johnson, Jared: "RE: Terminal Services - Domain Controller - Normal User"

    Relevant Pages

    • RE: Domain Controller Best Practice - Thanks!
      ... security risk by allowing your DC to also function as a file server". ... I would consider this a substantial risk to any IT infrastructure. ... Domain Controller Best Practice - Thanks! ...
      (Focus-Microsoft)
    • Re: OPIE considered insecure
      ... providing is considered greater than the security risk. ... But isn't regular password authentication the most convenient of all? ... attention whenever some random process ... SSH public key authentication for that use. ...
      (FreeBSD-Security)
    • Re: store password using reversible encryption
      ... enabled for any accounts that would authenticate via chap or digest ... authentication which is a big security risk. ... anyone needing to use those two methods of authentication. ...
      (microsoft.public.win2000.security)
    • Re: OWA Login Box
      ... Leif ... Isn't this a security risk? ... it is not an authentication method - basic ... a RSA server before they are authenticated by the AD. (the way I normally do ...
      (microsoft.public.exchange2000.admin)
    • Re: Sophos
      ... She has certainly proven herself as a liability and security risk to the ... network, sharing her code with anyone (your kid, your significant other, ... Dustin Cook [Malware Researcher] ...
      (alt.comp.anti-virus)