RE: [ActiveDir] Agents on Domain Controllers
I think we're all circling around the idea that while it's not wrong by definition, it's certainly a sensitive part of the infrastructure, so handle with care. A good approach is to ask yourself: do I need this particular piece of software on a DC at all? AV was raised as an example. If none of the infection vectors is present (shared filesystems, executing code that came from another box, running Office or Outlook, etc.), then perhaps you don't need an AV package on the DC at all? Conversely, the software might be doing something that is specific to the function of the DC (e.g., a password filter DLL to intercept password changes, and trigger PW policy enforcement or PW synchronization). In a case like that, placing the software on the DC is inevitable, so the response should be to 'test, test, test.' :-) -- Idan Shoham Chief Technology Officer M-Tech Information Technology, Inc. [EMAIL PROTECTED] http://mtechIT.com On Fri, 25 Aug 2006, Akomolafe, Deji wrote: Depends on what the agent is supposed to be doing, whether or not it's been proven stable or crappy, and whether or not your administrative/security philosophy allows such agent to be deployed on DCs. AFAIK, there is no credible reason to mandate a blanket no-agent-on-DC security or operational posture. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] Sent: Fri 8/25/2006 10:55 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Agents on Domain Controllers Is it just me or does it seem like everyone wants to put an agent or 5 on Domain Controllers these days. Anyone know of any agents to steer clear of (besides all of them)? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Agents on Domain Controllers
filter agents in general scare me as well especially since they insert hooks into very sensitive bits of the system. As one of my good MSFT friends said, he hasn't yet seen a well written password filter. They may exist, I won't even say mine that I have written qualify. There is huge potential for issue with them as I have discussed on this list in the past, but if you feel you understand your risks and you don't have another answer, that is something you decide to do on your own. No one else can make that decision for you. Yes these may be near perfect world dreams, but even if I don't think I can attain it, I push for perfect world. When I do ops, things tend to run well and when they don't I tend to have a good idea of what could be wrong because I make sure there are few who can cause problems and I try hard to understand the weaknesses in the environments I run/support. Once you start opening up who can dork with your systems without your input you never know where you get bit from, you just get to react. A react based environment around DCs is not the proper way to handle them. But joe... How do you monitor? You can't monitor a system without putting agents on. Yes you can. Certainly some aspects are easier with agents but it doesn't mean it can't be done without them. Plus I have seen systems where the agents seem to think things are fine yet the services that the box serves aren't working for the people trying to use them. I am a strong proponent of outside monitoring or user service testing. When I run environments, I always have a couple of machines running monitoring that test the actual services themselves from outside of the box to make sure they are running and performing properly. BTW, this goes for Cert servers as well as any server doing high level security functions for more than itself. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Saturday, August 26, 2006 11:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Agents on Domain Controllers I think we're all circling around the idea that while it's not wrong by definition, it's certainly a sensitive part of the infrastructure, so handle with care. A good approach is to ask yourself: do I need this particular piece of software on a DC at all? AV was raised as an example. If none of the infection vectors is present (shared filesystems, executing code that came from another box, running Office or Outlook, etc.), then perhaps you don't need an AV package on the DC at all? Conversely, the software might be doing something that is specific to the function of the DC (e.g., a password filter DLL to intercept password changes, and trigger PW policy enforcement or PW synchronization). In a case like that, placing the software on the DC is inevitable, so the response should be to 'test, test, test.' :-) -- Idan Shoham Chief Technology Officer M-Tech Information Technology, Inc. [EMAIL PROTECTED] http://mtechIT.com On Fri, 25 Aug 2006, Akomolafe, Deji wrote: Depends on what the agent is supposed to be doing, whether or not it's been proven stable or crappy, and whether or not your administrative/security philosophy allows such agent to be deployed on DCs. AFAIK, there is no credible reason to mandate a blanket no-agent-on-DC security or operational posture. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] Sent: Fri 8/25/2006 10:55 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Agents on Domain Controllers Is it just me or does it seem like everyone wants to put an agent or 5 on Domain Controllers these days. Anyone know of any agents to steer clear of (besides all of them)? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Agents on Domain Controllers
Is it just me or does it seem like everyone wants to put an agent or 5 on Domain Controllers these days. Anyone know of any agents to steer clear of (besides all of them)? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Agents on Domain Controllers
Depends on what the agent is supposed to be doing, whether or not it's been proven stable or crappy, and whether or not your administrative/security philosophy allows such agent to be deployed on DCs. AFAIK, there is no crediblereason tomandate a blanket no-agent-on-DC security or operational posture. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED]Sent: Fri 8/25/2006 10:55 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Agents on Domain Controllers Is it just me or does it seem like everyone wants to put an agent or 5 on Domain Controllers these days. Anyone know of any agents to steer clear of (besides all of them)? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Agents on Domain Controllers
I see your point but unfortunately it doesn't seem so practical these days. For example any AV software you use these days will have an agent to get updates. Any software distribution mechanism and hardware health checking software, enterprise management software all require agents. The thing is we have to ensure we give sufficient rights for each one and ensure if compromised it doesn't have sufficient rights to have elevated rights and access to AD or any other domain resource/server. I am reading the service account security planning guide at the moment http://www.microsoft.com/technet/security/topics/serversecurity/serviceaccount/default.mspx . There is some good stuff here we can use for least privilege. Its tricky and takes time. It just takes time to ensure every vendor and every product finally supports it. Until that time comes we can only do our best. M@On 8/25/06, Akomolafe, Deji [EMAIL PROTECTED] wrote: Depends on what the agent is supposed to be doing, whether or not it's been proven stable or crappy, and whether or not your administrative/security philosophy allows such agent to be deployed on DCs. AFAIK, there is no crediblereason tomandate a blanket no-agent-on-DC security or operational posture. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED]Sent: Fri 8/25/2006 10:55 AM To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Agents on Domain Controllers Is it just me or does it seem like everyone wants to put an agent or 5 onDomain Controllers these days. Anyone know of any agents to steer clear of(besides all of them)?List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Agents on Domain Controllers
You seem to think I disagree with you, whereas we are both saying the same thing. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Matheesha WeerasingheSent: Fri 8/25/2006 11:44 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Agents on Domain Controllers I see your point but unfortunately it doesn't seem so practical these days. For example any AV software you use these days will have an agent to get updates. Any software distribution mechanism and hardware health checking software, enterprise management software all require agents. The thing is we have to ensure we give sufficient rights for each one and ensure if compromised it doesn't have sufficient rights to have elevated rights and access to AD or any other domain resource/server. I am reading the service account security planning guide at the moment http://www.microsoft.com/technet/security/topics/serversecurity/serviceaccount/default.mspx. There is some good stuff here we can use for least privilege. Its tricky and takes time. It just takes time to ensure every vendor and every product finally supports it. Until that time comes we can only do our best. M@ On 8/25/06, Akomolafe, Deji [EMAIL PROTECTED] wrote: Depends on what the agent is supposed to be doing, whether or not it's been proven stable or crappy, and whether or not your administrative/security philosophy allows such agent to be deployed on DCs. AFAIK, there is no crediblereason tomandate a blanket no-agent-on-DC security or operational posture. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED]Sent: Fri 8/25/2006 10:55 AM To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Agents on Domain Controllers Is it just me or does it seem like everyone wants to put an agent or 5 onDomain Controllers these days. Anyone know of any agents to steer clear of(besides all of them)?List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Agents on Domain Controllers
Somehow I read that and got an entirely different meaning. It may be due to the mood I am in right now. Then again a quick look at some of joe's blog comments will show how often I misread things. Hmm...Sorry Deji. M@On 8/25/06, Akomolafe, Deji [EMAIL PROTECTED] wrote: You seem to think I disagree with you, whereas we are both saying the same thing. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Matheesha WeerasingheSent: Fri 8/25/2006 11:44 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Agents on Domain Controllers I see your point but unfortunately it doesn't seem so practical these days. For example any AV software you use these days will have an agent to get updates. Any software distribution mechanism and hardware health checking software, enterprise management software all require agents. The thing is we have to ensure we give sufficient rights for each one and ensure if compromised it doesn't have sufficient rights to have elevated rights and access to AD or any other domain resource/server. I am reading the service account security planning guide at the moment http://www.microsoft.com/technet/security/topics/serversecurity/serviceaccount/default.mspx. There is some good stuff here we can use for least privilege. Its tricky and takes time. It just takes time to ensure every vendor and every product finally supports it. Until that time comes we can only do our best. M@ On 8/25/06, Akomolafe, Deji [EMAIL PROTECTED] wrote: Depends on what the agent is supposed to be doing, whether or not it's been proven stable or crappy, and whether or not your administrative/security philosophy allows such agent to be deployed on DCs. AFAIK, there is no crediblereason tomandate a blanket no-agent-on-DC security or operational posture. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED]Sent: Fri 8/25/2006 10:55 AM To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Agents on Domain Controllers Is it just me or does it seem like everyone wants to put an agent or 5 onDomain Controllers these days. Anyone know of any agents to steer clear of(besides all of them)?List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx