RE: [ActiveDir] Agents on Domain Controllers

Sat, 26 Aug 2006 08:21:16 -0700 

I think we're all circling around the idea that while it's not wrong by
definition, it's certainly a sensitive part of the infrastructure, so
"handle with care."
A good approach is to ask yourself: "do I need this particular piece of software on a DC at all?" AV was raised as an example. If none of the infection vectors is present (shared filesystems, executing code that came from another box, running Office or Outlook, etc.), then perhaps you don't need an AV package on the DC at all?
Conversely, the software might be doing something that is specific to the function of the DC (e.g., a password filter DLL to intercept password changes, and trigger PW policy enforcement or PW synchronization). In a case like that, placing the software on the DC is inevitable, so the response should be to 'test, test, test.' :-) 


--
Idan Shoham
Chief Technology Officer
M-Tech Information Technology, Inc.
[EMAIL PROTECTED]
http://mtechIT.com

On Fri, 25 Aug 2006, Akomolafe, Deji wrote:


Depends on what the agent is supposed to be doing, whether or not it's been 
proven stable or crappy, and whether or not your administrative/security 
philosophy allows such agent to be deployed on DCs.

AFAIK, there is no credible reason to mandate a blanket no-agent-on-DC security 
or operational posture.


Sincerely,
  _____
 (, /  |  /)               /)     /)
   /---| (/_  ______   ___// _   //  _
) /    |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/                             /)
                              (/
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: [EMAIL PROTECTED]
Sent: Fri 8/25/2006 10:55 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Agents on Domain Controllers


Is it just me or does it seem like everyone wants to put an agent or 5 on
Domain Controllers these days. Anyone know of any agents to steer clear of
(besides all of them)?


List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Reply via email to