I currently fear IIS on (specifically W3SVC/MSFTPSVC) on a DC. For the security reasons mentioned. Actually though I fear all services and processes that are not directly related to the job that the DC needs to do. I try to shut down everything that isn't totally involved with authenticating people, replicating the domain information, or doing directory work. Unfortunately there are some things like the manufacturers' interface programs for remote control and management hardware etc that currently has to be enabled.
A DC is there to answer authentication questions or directory questions, as such it is a high security machine and a compromise there can compromise an entire corporation, they need to be treated in a very special way. I think as MS works more towards a secure environment and the vendors get a clue that fear will lessen, but currently things are still too integrated. Localsystem is one of the most dangerous things. You let me put a service that runs in localsystem on one of your DC's and I own your forest. Let a service run that runs in localsystem that I can compromise and I own your forest. Let me have localsystem on a regular machine in the forest and I will cause you serious headaches. Absolutely nothing that can be remotely touched should run in a localsystem context because there is a possibility of compromise whether one is know or not. Surprise, W2K3 still can be overflowed even with the overflow protection so no you can't continue to write poor unprotected code. Do you have a group outside of your Enterprise Admins that controls services on your DC's that runs in localsystem, say AV with autoupdate or some software deployment system or home baked service system or reporting system or managing systems such as Tivoli or MOM or OpenView or ManageX or anything like that? If so, they own your forest. They have the ability to make changes (good/bad/accidental) to it without any input from you, they are an owner with you. Forests should not be shared like that. Everyone with core level access to a corporate forest (irregardless of company size) should fit in a small conference room of say 10 ft by 10 ft with a big table and should all report to the same manager otherwise you can pretty much count your environment as uncontrolled and insecure. Your core security structure should not run in an uncontrolled and insecure manner. The thing against locking down is that we have to forego some flexibility and ease of use for true security. As things become more secure it is likely that things will not be as easy to do for programmers or inexperienced admins. Most of us aren't dealing with people sneaking bombs and weapons onto planes or trains or buses but we are responsible for the several hundred or several thousand or several hundred thousand of people to be able to logon securely in the morning and get their spam and do what it is that makes the company money. To start with, we need to demand that MS stop using localsystem for anything not core to the base functions of the domain controllers and other machines. Actually I think we have seen them start drifting away from LS with W2K3. You also have to demand from MS that when they have code examples in MSDN, they actually use the security features of the calls and not for simplicity sake show it to you without security, in fact, make it so you can't use the function without security. You also have to demand from MS that when they write applications, they be just applications and treat AD in the same way they expect other vendors to treat AD - as a separate thing that they work with - a service you make requests from, not a service that is your whipping boy. Exchange 2000 line is a great example of software NOT following that model. I think if you asked the E2K Dev group they would probably say that AD exists for the benefit of E2K. You also have to demand the same things from the other vendors as they tend to do things in the laziest way they can and when looking at MS try to follow their lead. It is a painful fight and initially you may think that it isn't worth it because you haven't had a problem or the group in question is "trusted". After you have a problem and someone says oops, you will have a different viewpoint. Hopefully that viewpoint is while you are still at the same company because you weren't fired or it went out of business because of your misjudgement on what is or isn't worth fighting for. Try this exercise next time you talk to a vendor about a piece of software. Install it for them and configure it to run as a normal user. When they say it has to run in localsystem or with admin rights, ask them why specifically. In the 7-8 years I have done this almost all of them have no idea why. In fact once I was told by one vendor that admin access was only needed for changes, when I went to install the software on a workstation it said I needed to be an admin of the domain. I asked the vendor what is it trying to change? He had no idea. It was months before I heard from them again. Another vendor told me they needed to be account ops or admins to unlock user accounts on AD. I went home that night and wrote unlock that used WP delegated to lockoutTime. Basically most vendors and MS in MANY occasions have no idea that they actually need one specific right or these three specific rights or the ability to create/delete one object in one OU because they never took the time to understand their own product, just get it made and to market. You need to read performance counters remotely? Nope don't need to be an admin (we were doing this with normal userids all the way back in NT4). Need to have someone be able to stop and start a service, nope don't need to be an admin either (again doing that with normal userids all the way back in NT4). Need to see if replication is working between DC's? How does iadstools do it without being an admin? Give me a userid in your forest and let me run a perl script that hits iadstools that I wrote back in 2000 and I will tell you if you are replicating and what your replication connections are and where they are to. Need to update files in a subfolder of the c drive and you only know how do it via admin rights? Have a nice day, you don't know enough to write software for my systems - stay out of my c drive unless I say you can go there and please go off and learn about ntfs. Try it yourself, learn how much or how little your vendors really know. Don't let them take the easy road. It is your security and job they are jeopardizing. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Saturday, September 20, 2003 9:23 PM To: [EMAIL PROTECTED] William, Let me clarify myself: I don't FEAR IIS on a DC. Just from a security perspective, I don't think it's smart. I don't see any reason to put a known problem on my domain's authentication source, among other things. Now, I might change my mind if we're talking about IIS 6.0, but likely not. Least privilege access. IIS is not needed on a DC, and is not part of what a DC needs to do what it is designed for. But, that's just me. Wonderful thing about freedom - each is free to do whatever he wants. As long as it doesn't impede on the freedom of others, have at it. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of William Lefkovics Sent: Saturday, September 20, 2003 8:01 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now I agree with that premise of no SUS on a DC, though I have no fear of IIS on a DC. Domain controllers are special and should not get auto-anything in terms of updates or other changes. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Saturday, September 20, 2003 11:39 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now Raymond, Good question - I hope that I can provide a good answer. I would NOT suggest or recommend deploying SUS to a DC for one simple reason: It requires IIS, and for security purposes, I will not deploy IIS onto a domain controller - which clearly dismisses a DC from hosting SUS IMHO. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raymond McClinnis Sent: Saturday, September 20, 2003 12:36 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now I have a somewhat silly question on SUS... Would anyone recommend against installing it on a DC? And if so, I curious as to why (other that the obvious things, like it's a DC :) ) Thanks, Raymond McClinnis -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Friday, September 19, 2003 12:54 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now You will have to setup two SUS servers. One in a dev environment and one on the corporate network. The dev SUS will get the updates directly from MSFT and then once approved, the other SUS will be able to pull those updates for the corporate clients. **************************************** Steve Shaff Active Directory / Exchange Administrator Corillian Corporation (W) 503.629.3538 (C) 503.807.4797 (F) 503.629.3674 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W (Ken) Sent: Friday, September 19, 2003 10:47 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now Yes. Kenneth W. (Ken) Adams, MCSA, MCSE -----Original Message----- From: Rod Trent [mailto:[EMAIL PROTECTED] Sent: Friday, September 19, 2003 12:28 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now Aren't we saying the same thing, then? Updates deployed to test environment, then approval, then deployment to production. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W (Ken) Sent: Friday, September 19, 2003 11:45 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now Not if your SUS server is used to supply the fixes to your test environment. Kenneth W. (Ken) Adams, MCSA, MCSE -----Original Message----- From: Rod Trent [mailto:[EMAIL PROTECTED] Sent: Friday, September 19, 2003 9:22 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now The approval in the change management process should be before the update is even deployed -- after testing against applications, services, infrastructure, rollback, etc. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W (Ken) Sent: Friday, September 19, 2003 8:30 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now It's also good if you have a Change Management process that requires a CM record be created and approved by a review board before the actual installation occurs. Ken A., MCSA, MCSE -----Original Message----- From: Rod Trent [mailto:[EMAIL PROTECTED] Sent: Friday, September 19, 2003 7:49 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now That's good if you have a minimal number of servers. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W (Ken) Sent: Friday, September 19, 2003 7:42 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now I'll be setting up SUS SP updates to servers, only I set my servers to download and notify, not to automatically install and boot. I keep control that way. Ken A., MCSA, MCSE -----Original Message----- From: Henderson Richard [mailto:[EMAIL PROTECTED] Sent: Friday, September 19, 2003 7:13 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] SUS does SPs now As it will only run on W2KSP2+ Clients SMS is still needed for NT4 Clients. But another question, how many here will setup SUS SP updates to Servers? i.e 100 servers all being rebooted at 3am Sunday morning ?? -----Original Message----- From: Graham Turner [mailto:[EMAIL PROTECTED] Sent: 19 September 2003 09:44 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] SUS does SPs now Have just picked up on this thread of SUS - looks a real winner would be glad for the views of the positioning of this product relative to SMS ?? GT ----- Original Message ----- From: "Free, Bob" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, September 18, 2003 11:44 PM Subject: RE: [ActiveDir] SUS does SPs now >a complete rollup with every patch released for a particular OS. There is actually a current WU beta along those lines... If history repeats, it may be available sooner than later -----Original Message----- From: Crenshaw, Jason [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2003 1:17 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] SUS does SPs now You should see a "roll-back/recall" in SUS 2.0. I didn't hear about the SP's being available in SUS until this morning when I saw that it was something that was available to be published, so something or someone must have pulled the trigger for this to happen. Being an Enterprise customer of Microsoft, they usually go way out of their way to ensure that we know about major upcoming changes before going live with them. I guess Microsoft is tired of getting slammed with deployment problems for SP's. For anyone not using SMS, UpdateExpert, or something else along those lines, deploying SP's enterprise wide can be a task within itself. It's too bad that Microsoft doesn't offer patches in a two prong manner. One being you can just install the one "hotfix" for a particular problem and the other would be a complete rollup with every patch released for a particular OS. Of course, it is easy to say that from a customer side. I don't have to write or manage any of the changes; I just have to work with what I am given. Jason List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ************************************************************************ **** ******************************* This correspondence is confidential and is solely for the intended recipient(s). If you are not the intended recipient, you must not use, disclose, copy, distribute or retain this message or any part of it. If you are not the intended recipient please delete this correspondence from your system and notify the sender immediately. No warranty is given that this correspondence is free from any virus. In keeping with good computer practice, you should ensure that it is actually virus free. E-mail messages may be subject to delays, non-delivery and unauthorised alterations therefore, information expressed in this message is not given or endorsed by Sx3 unless otherwise notified by our duly authorised representative independent of this message. Sx3 is a trading name of Service and Systems Solutions Limited, a limited company registered in Northern Ireland under number NI 32979 whose registered office is at 120 Malone Road, Belfast, BT9 5HT. ************************************************************************ **** ******************************* List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/