Advanced Server != domain controller. This is as an aside to the fact that
there is no longer such a thing as a PDC in Windows 2000. That is all I am
saying.
It sounds like there are some pretty strict security guidelines. Based on
those guidelines, if it were me, I would not install it as a domain
controller. For that matter, I wouldn't have likely spent the extra cash on
AS, unless there was a hardware reason for it (processors/RAM), but that is
another point.
Based on the information that you have provided, if it were me, I would use
a VPN for the remote sites. I would then shut down any ports that aren't
required outside of the applications I am running. I would also configure
the box for terminal services, so that everyone could get on the box, check
code in/out, but I would disable the server and workstation services
(technically, just the WS service needs to be disabled) so that they can't
go browsing your network from that box. If you have a DMZ, I would stick the
box out there just for extra precautions.
Outside of a better definition of the goals and direction, this is the best
advice I can offer. Sorry.
Wes Noonan, MCP+I/MCSE/MCT/CCNA/NNCSS
Senior QA Rep
(713) 918-2412
BMC Software, Inc.
[EMAIL PROTECTED]
http://www.bmc.com
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Friday, September 15, 2000 15:50
To: Noonan, Wesley; [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: Windows 2k Advanced Server Hardening
Let's back up, the Win2k Advanced Server is what the organization chose for
to deploy everywhere.
/mark
At 03:24 PM 9/15/00 -0500, Noonan, Wesley wrote:
>Because in your original email, you asked what could be done to allow users
>to logon, but nothing else. As you have fleshed this out (kind of), I see
>nothing that you are doing that requires Microsoft authentication per se,
>and certainly nothing that needs a domain controller. A domain controller
is
>going to generate more traffic and more over head than if you just run the
>box off a workgroup environment. Also, if you aren't going to support
domain
>functions, why implement a domain controller, and all of it's extraneous
>services that you have already stated you want to prevent? KISS. That is my
>reasoning.
>
>Regardless of what you do though, I don't feel like we are getting enough
>information from you to make more that half informed recommendations. I
>still don't understand what traffic you want to prevent, and what traffic
>you want to permit.
>
>Wes Noonan, MCP+I/MCSE/MCT/CCNA/NNCSS
>Senior QA Rep
>(713) 918-2412
>BMC Software, Inc.
>[EMAIL PROTECTED]
>http://www.bmc.com
>
> -----Original Message-----
>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
>Sent: Friday, September 15, 2000 15:11
>To: Noonan, Wesley; [EMAIL PROTECTED]
>Cc: [EMAIL PROTECTED]
>Subject: RE: Windows 2k Advanced Server Hardening
>
>Why not make it a PDC ??
>
>/mark
>
>At 03:06 PM 9/15/00 -0500, Noonan, Wesley wrote:
> >Why make it a domain controller then? Also, what would the need be for
> >Microsoft authentication on it? Can you choose another authentication
> >scheme? If so, you will find it much easier to harden.
> >
> >Another option though, that sounds better to me, would be to put it
behind
>a
> >firewall and either VPN and/or terminal serve into it. This should go a
>long
> >way towards keeping the unwanted visitor out.
> >
> >Good luck!!
> >
> >Wes Noonan, MCP+I/MCSE/MCT/CCNA/NNCSS
> >Senior QA Rep
> >(713) 918-2412
> >BMC Software, Inc.
> >[EMAIL PROTECTED]
> >http://www.bmc.com
> >
> > -----Original Message-----
> >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> >Sent: Friday, September 15, 2000 14:56
> >To: [EMAIL PROTECTED]
> >Cc: [EMAIL PROTECTED]
> >Subject: RE: Windows 2k Advanced Server Hardening
> >
> >Actually the Win 2k Advanced Server would be used for collaborative
> >engineering over the WWW. Custom development tools or source
> >check-in/check-out similiar to a couple of small start-ups in the valley
> >here.
> >
> >/m
> >
> >At 12:45 PM 9/15/00 -0600, ROTTENBERG,HAL \(HP-USA,ex1\) wrote:
> > >You didn't plan to expose your PDC to the Internet---I hope. That's my
> > >first recommendation.
> > >
> > >Assuming that's the case, then many of the suggestions you would find
on
> > >this list wouldn't be applicable.
> >
> >-
> >[To unsubscribe, send mail to [EMAIL PROTECTED] with
> >"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
