Aw thanks Dean. Here I thought you didn't love me. :oP You should have seen my first response. It was even more succinct....
What are you insane! This was followed by ^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^HThis issue with this... Man I have a ton of grammer issues in that note. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Monday, July 12, 2004 9:07 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Domain Controller Question Importance: High For those of you that don't always read the more lengthy, complex replies ... read this one, it's simple (and to some, its content may even seem obvious) but, IMHO, it's brilliantly put! Joe's post manages to succinctly address the "whys" of an incredibly complex topic ... with all due respect, FANTASTIC job Joe, just great! Deano -- Dean Wells MSEtechnology * Tel: +1 (954) 501-4307 * Email: [EMAIL PROTECTED] http://msetechnology.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, July 12, 2004 9:22 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controller Question This issue with this is at that is opens more attack vectors on the DC. Normally the only vectors you have are 1. Anyone with physical access 2. Any services that expose remotely exploitable holes. With 1, you can put compensating controls into place such as locking the DC into a room or locking the cabinet or something like that. However, any person who has physical access (there has to be someone) that isn't a domain/ent admin is still a danger. With 2, you compensate by not running any services that are not explicitely required for authenticating/authorizing people and keeping the system well patched. However any new remote non-authenticated exploit is still a serious danger. When you allow users to TS into the machine you now allow any additional vectors that require local desktop for privilege escalation, PLUS, unless you have specially built a load to harden against local users like that you probably have numerous other security issues in terms of what users can get access to. I go by the basic tenet that I am not the smartest person in the universe when making decisions around security. In that I mean that even though I may not know of a hole or exploit or how to crack a given system, it doesn't mean someone else doesn't. Basically I can say something is unsafe but I can't with certainty declare something irrefutably safe. Recall that DCs are KDCs. No one in the business of running KDCs whether they be on UNIX, Windows, VMS, or other think it is a good idea to let normal users anywhere near them. It is the heart of the security of your network. On top of that, DCs sometimes have to be rebooted for various replication issues, etc. Normally this is something that is transparent to the user as they don't need a DC all of the time and even if they needed one while the one was down, they would find another and use it. This obviously goes away if you have the users using files on a DC, using printers on a DC, or most definitely have them TSing into a DC. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jennifer Fountain Sent: Monday, July 12, 2004 5:58 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Domain Controller Question Gotta strange question for you. Powers to be asked if I would install a "backup" domain controller on a local terminal server and if I would have a problem with it. They do not see an issue with it. So, basically users would log into a terminal server that is a DC. Can you share your opinion? Also, they also said that we can you have a domain controller sit there doing nothing just waiting for the "primary" controller to fail (not in a cluster configuration)? Does anyone know anything about this configuration? Can you share? Thanks in advance! Kind Regards, Jennifer Fountain R&B Inc 3400 E Walnut Street Colmar, PA 18915 List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
