We agree on security as a journey. We seem to disagree about putting an application on a DC. Exchange especially. Will it work? Yes. But the tradeoffs in that situation can be distasteful from an operational and security point of view if security, flexibility, scalability, and availability are of any concern whatsoever.
I have no issues with SBS. I'm thankfully able to avoid that product line in most of my dealings to date. My issue has more to do with the applications and intended purpose of the functions deployed when you try to put them all on the same box. If those applications were meant to be together, then Microsoft would have built them with that in mind. Until then, I'll continue to be leery of them working together.
-ajm
On 10/7/06, Matt Hargraves <[EMAIL PROTECTED]> wrote:
Security a goal? It's more of a journey where the destination is "we didn't get hacked this week (month/year)"
BTW, I wasn't saying that it's the worst idea ever to put e-mail on a DC (if it's a GC it will save you the journey for authentication), but in an organization where you have 2+ sites (and probably more than 500 users), I would tend to recommend putting Exchange on a separate server.
I know that SBS isn't the *worst* tool ever (well... if you used it back in 1997 - which I did - it was), in fact, I've set up my sister/brother-in-law's network with an SBS box. Of course, they don't have 500+ users, they have 4. It's a matter of scale I guess.
On 10/6/06, Al Mulnick <[EMAIL PROTECTED]> wrote:Hmm... I'm becoming more and more convinced that security on any platform is more of a goal than a destination anyway :)Putting other apps on a server that is designed to be a security server is not best practice on any platform SBS or not. SBS exists because it makes more economic sense than mom's 75 person company buying one server per person to run Microsoft software. It's still a Frankenstein in my opinion. I have a slanted view of course, but I also know some of what goes on to make those apps magically work on the same machine. Security is not my concern in that arena.Availability also comes to mind as something that's at risk if you mix applications with your authentication services. Sadly, I saw this just the other day when a DC that's also a file/print server <sigh> crashed due to lack of disk space. Somebody got those pictures down before I got to it darn it. I bet they were some good ones ;)Steve, I suggested the other tools because you need an accurate and up to date picture of what's going on. Sites and Services is not going to give you what you need in this case. Use ADUC and use the other tools I mentioned.Oh, and don't worry about those on *this* list when it comes to sending your company's private information: we're mostly honest. Those that troll the groups with goog^^^^MSN Search on the other hand might be less trustworthy.If you feel you'd like a second set of eyes, I'm happy to help. You can send to me directly and I'll respond directly as well. If you don't trust me, please give Microsoft support a call else find somebody who's more familiar with AD and your situation that can give you that second set of eyes. You're not screwed yet based on the information you've presented. That could change though....Al
On 10/6/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] < [EMAIL PROTECTED]> wrote:Granted external FTP isn't one that SBSers recommend either and we're
freaking out going WHAT ARE YOU THINKING? as well.
As we say down here.... we don't get hacked... we get stupid.
Tim Vander Kooi wrote:
> It's not speed or resources that scare most of us when it comes to
> sharing DC space with other apps, it's security. With SBS Microsoft has
> (at least in theory) covered most of those security bases for the admin.
> The last time I allowed another admin to install FTP on a server he
> inadvertently put no security on it whatsoever and the company I was
> with at the time ended up serving up 200 GB of German p0rn. He had lots
> of fun explaining why our new server had crashed due to lack of
> diskspace.
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto: [EMAIL PROTECTED]] On Behalf Of Steve Egan
> (Temp)
> Sent: Friday, October 06, 2006 6:40 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Major screwup on AD for my company - Can't
> install AD on remote server now
>
> Well, the servers running the DC, mail, PDC, etc. are quad-processor
> SuperMicros, so they aren't even sweatin' hard. I'm watching them,
> they're golden. (Thanks, Susan - we think alike.)
>
> (Ahem... don't look now, but we already have 8 IBM e-Business servers
> (quad xeon) and are getting more. Don' neeeeeeed no steeeeeeenkin'
> SBS's! ;P )
>
> (Let me just unequivocally state right here that SAP is a 10,000lb
> gorilla...)
>
> Steve Egan
> Purcell Systems
> System/Network Administrator
> desk 509 755-0341 x110
> cell 509 475-7682
> fax 509 755-0345
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto: [EMAIL PROTECTED]] On Behalf Of Susan Bradley,
> CPA aka Ebitz - SBS Rocks [MVP]
> Sent: Friday, October 06, 2006 3:55 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Major screwup on AD for my company - Can't
> install AD on remote server now
>
> Yeah next they'll be SBS servers being installed there.
>
> (For some of us having our DCs do other things doesn't freak us out as
> much as it does you big serverland guys)
>
> Matt Hargraves wrote:
>
>> I know you probably haven't been there very long, but what in the heck
>>
>
>
>> are they thinking, making DCs mail servers and FTP servers. Might as
>> well load them up with web services next.
>>
>> BTW, you probably shouldn't be posting your infrastructure in a
>> message list.
>>
>>
>>
>> On 10/6/06, *Steve Egan (Temp)* < [EMAIL PROTECTED]
>> <mailto: [EMAIL PROTECTED]>> wrote:
>>
>> Al, will do. I tucked FTPSERVER under a desk and forgot about
>> it. Experience has taught me the hard way not to be in a rush to
>> tear down machines and cannibalize the parts until you are SURE
>> it's okay to loot the corpse. Nevermind the smell...
>>
>>
>>
>> AD and DNS is working as well as can be expected with a
>> thumb-fingered choom hacking away at it! FTPSERVER **was** a DC,
>> I think, but I'll fire up the box (OFF of the wire!) and start
>> looking at it.
>>
>>
>>
>> Here's what I see for the domain:
>>
>>
>>
>> How the *&^($(*^ is Sweden in there?? It's NOT an AD server, it
>> refuses to become one... This entry is from an OLD Sweden server
>> entry - notice how the guy before me spedded Swe(den).
>>
>>
>>
>> "IF it ain't broke, don't break it!". Maybe I should just quit
>> screwing with it - for now...
>>
>>
>>
>> I'll keep plugging away at it, I guess.
>>
>>
>>
>> Steve Egan
>>
>> Purcell Systems
>>
>> System/Network Administrator
>>
>> desk 509 755-0341 x110
>>
>> cell 509 475-7682
>>
>> fax 509 755-0345
>>
>>
>>
> ------------------------------------------------------------------------
>
>> *From:* [EMAIL PROTECTED]
>> <mailto: [EMAIL PROTECTED]> [mailto:
>> [EMAIL PROTECTED]
>> <mailto: [EMAIL PROTECTED] >] *On Behalf Of *Al
>>
> Mulnick
>
>> *Sent:* Friday, October 06, 2006 1:30 PM
>>
>> *To:* ActiveDir@mail.activedir.org
>> <mailto: ActiveDir@mail.activedir.org>
>> *Subject:* Re: [ActiveDir] Major screwup on AD for my company -
>> Can't install AD on remote server now
>>
> <SNIP>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
>
>
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down...
http://blogs.technet.com/sbs
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
