Re: Adding Computers to the Domain (AD)

From: Miha Pihler [MVP] (mihap-news_at_atlantis.si)
Date: 03/16/05 

Date: Wed, 16 Mar 2005 23:11:46 +0100

I would like to second what was already said. Computer doesn't have to be a
member of domain to spread viruses on the network! All it has to be is
plugged to the network and running... (computers infected with blaster that
were on the Internet were not part of domain that they infected...) ;-)
Again, I would like to point out that since you are administrator of domain
you have control over what is going on on computers that are part of domain
(no matter who adds them to domain). This is where group policy can help you
out in a big way...

I can agree that having control over who may add computers to domain can be
a good thing, but it is not a solution to every question and every
problem... This is the reason why I brought up the question...

One of the first things that I do or recommend for my customers (they may
still prefer to prevent users from adding computers to domain) is to write a
security policy that prohibits users to plug the computer on LAN that is not
a property of the company and to define measures against users that violate
this policy... 

-- 
Mike
Microsoft MVP - Windows Security
"Mr. Smith" <backup@yahoo.com> wrote in message 
news:eLoQpVmKFHA.3184@TK2MSFTNGP09.phx.gbl...
> This exactly why I was asking; why would I trust a "user" with any 
> deregulation such as adding a computer to the AD / Domain / Network even.
>
>
>
> W/O explicit permission is a user even allowed to add a network device to 
> the network itself?   If the user can't install software, do updates 
> because they are just that "A USERS", why are they allowed to add a 
> machine that is full of, let's say: the blaster worm and many other 
> infestation and now have permissions on a system level to attack other 
> systems within the AD / Domain.  That a breach in security.
>
>
>
> So I would like to know who did that.  In "My" Domain I am GOD and I say 
> what should and shouldn't be here and for any Administrator that's the way 
> of thinking you should have.  Hell I even tell the owner of the company 
> and my tech directory what they can and can not do on my domain and my 
> network.
>
>

Relevant Pages

  • Re: Basic Security Help
    ... a network is weak or no passwords followed by malicious user on your ... -- Use password policy to enforce strong passwords in the domain by enabling ... -- Be sure that computers are kept current of critical security updates from ... Windows Updates or using a SUS server to authorize and distribute security ...
    (microsoft.public.security)
  • Re: Basic Security Help
    ... > a network is weak or no passwords followed by malicious user on your ... Be sure to educate users of any pending changes to password policy ... > Windows Updates or using a SUS server to authorize and distribute security ... > network including how to isolate and repair infected computers. ...
    (microsoft.public.security)
  • Re: Basic Security Help
    ... for XP Home you "might" be able to access the built in administrator account ... friend or family member that knows a bit about computers to help you. ... >> a network is weak or no passwords followed by malicious user on your ... >> Antivirus in Depth Guide available at the TechNet Security Center can ...
    (microsoft.public.security)
  • RE: Network and information security question
    ... All the computers have to be Pro. ... detaching the home versions from the network and making them work outside the ... configurations you can use group policy to manage the employee computers, ... tighten security. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Green Admin - Brute Force Attack - Pls Help
    ... Ipsec configuration is very similar [if ... specifics on how to use ipsec "filtering" policy to protect computers. ... is managing a network - particularly one in a hostile environment. ...
    (microsoft.public.security)