Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Domain Controller Best Practice

from [Depp, Dennis M.] Network Security [Permanent Link]
Subject: RE: Domain Controller Best Practice
Date: Wed, 23 Feb 2005 07:39:38 -0500 
I double checked my DCs and of course you are correct about users having
the right to access this computer from the network.  I guess the
statement I am most concerned with is "as long asone knows what one is
doing". Two many Windows admins don't know what they are doing.
Particularly in small shops.

Dennis 

-----Original Message-----
From: Miroslaw Slawek Chorazy [mailto:mchorazy@depaul.edu] 
Sent: Tuesday, February 22, 2005 7:22 PM
To: tim.sullivan@nativemode.com; Depp, Dennis M.;
focus-ms@securityfocus.com
Subject: RE: Domain Controller Best Practice


The problem with using a Domain Controller as a file server is you are
giving the users remote access to the machine.  I.e. they have to be
granted the right to logon to the machine from the network. 


But Domain Controllers are Mini-File Servers of sorts because the GPO
Policies and Scripts and what-have-you have to download to Computer and
User at the time of startup and logon. The Right to "logon to a DC from
Network" has to be granted to "Authenticated Users" at least. 
I don't see a problem with using Domain Controllers as File Servers as
long as one knows what one is doing and isolates Shares to separate
partitions and applies appropriate ACLS.
 
Slawek



"Depp, Dennis M." <deppdm@ornl.gov> 2/22/2005 10:11 >>>

Tim,

I don't understand your comment "as the DC has no local security
database, you can no longer use permission assigmentt best practice."
Microsoft Best practice is to assign users to Global Group, assign
Global Groups to Local Groups and assign permissions to these local
groups.  With AD, Microsoft has created Domain Local Groups.  You can
use Domain Local groups and still use Microsoft's best practices.  In
our environment, I have bee discouraging Server Local Groups in favor
of
Domain Local Groups for all types of permissions.  This makes it
easier
to move resources from one machine to another.  

The problem with using a Domain Controller as a file server is you are
giving the users remote access to the machine.  I.e. they have to be
granted the right to logon to the machine from the network.  Once a
user
has this right, they can utilize this access to use a remote exploit
to
gain administrative control of the box.  Of course since they have
adminstrative control of a domain controller, they have administrative
controll of every machine in the domain as well.

Denny 

-----Original Message-----
From: Sullivan Tim P [mailto:tim.sullivan@nativemode.com] 
Sent: Monday, February 21, 2005 8:22 PM
To: focus-ms@securityfocus.com 
Subject: Domain Controller Best Practice

I am in need of some supporting documentation relating to Domain
Controllers.

The situation is this. A medium sized school would like their single
DC
to also be a file server. This DC would be serving about 300 people,
along with another file server and an email server.

My initial recommendation is multiple domain controllers for the
simple
reason of fault tolerance of the schema. They buy this.

However, they would like to see technical documentation saying that it
is not a good idea to have a domain controller share roles as a DC and
a
file server. 

One of my main concerns, aside from load, is that high school age kids
are using the network. They like to poke and prod. I would rather them
not even poke at the DC. Also, as the DC has no local security
database,
you can no longer use permission assignment best practice. To me it
just
seems like a bad idea, but I need documentation to back it up.

Can anyone offer resources to illustrate this? I am scouring technet
and
the MS AD deployment docs now.

Thanks,
Tim

 

______________________
Tim Sullivan
Nativemode Technologies
(623) 910-4700
tim@nativemode.com 

------------------------------------------------------------------------
---
------------------------------------------------------------------------
---


------------------------------------------------------------------------
---
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  SecurityFocus Microsoft Newsletter #229, Marc Fossi
Next by Date:  Computer accounts in NTFS permissions, Daniel Schmidt
Previous by Thread:  RE: Domain Controller Best Practice, Miroslaw Slawek Chorazy
Next by Thread:  Re: Domain Controller Best Practice, Matthew S Barnes
Indexes:  [Date] [Thread] [Top] [All Lists]