"Quite honestly, you really shouldn't need to run AV software on DCs, there shouldn't be vectors for them to be infected. If they get infected, it usually means an Admin was careless - actually in every case of an infected DC I have investigated it has been an admin being careless."
I disagree. All machines have an attack vector. In this case perhaps the admin is the weakest link, but then that's no reason to exclude DCs from AV protection. >From a TCO perspective, an environment where all machines are configured in a similar fashion must be the optimum. Why manage AV protected and non-AV protected machines? I agree wrt the op guidelines - these best practices can be used to minimise the attack surface but can never reduce it to zero, however. neil -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 30 March 2005 06:44 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD/ Virus outbreak 1. Don't log into servers to do daily work, learn how to do things with remote interfaces. 2. Do not run IE, OE, or pretty much any App interactively on servers. 3. Do not log into workstations with IDs that have admin rights on servers, use RUNAS or scripts that require you to specify the creds, etc. Even avoid fixed drive letters to DCs with admin creds, use UNCs if you want to use NET USE /USER. 4. Do not allow normal users to write to the file systems of a DC. 5. Keep DCs fully patched and do not run unnecessary services. Quite honestly, you really shouldn't need to run AV software on DCs, there shouldn't be vectors for them to be infected. If they get infected, it usually means an Admin was careless - actually in every case of an infected DC I have investigated it has been an admin being careless. Yes you can put all roles on one DC. In an empty root I would have done it already anyway and would have made all DCs in the empty root GCs most likely as well. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala Sent: Tuesday, March 29, 2005 12:51 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD/ Virus outbreak Hi, I have 3 DC's in a protected root domain and 2 child domains. Unfortunately the 3 root DC's were not running a virus client, totally missed....anyway. Looks like it is using known Windows exploitability to drop files and what not. 2 of the 3 seem to be infected. (ones with the Schema Master & DNM and PDCE) If I have to rebuild can I at least for the interim transfer the above roles on the 3rd DC (with the RIDM and IM)? GC is on 1 & 2 as well. Thanks, List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ============================================================================== This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. ============================================================================== List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/