Re: Allow log on locally in Default Domain Controller Policy.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Personally I suggest not using FTP on a DC at all, because IIS, like IE,
is notorious for security holes... not to mention that it just wouldn't
be useful unless you're doubling up server duties for lack of cash...
but unfortunately it is necessary for the feature if somebody does make
that (poor) choice.

Rainman

zenner wrote:
> As noted by your explanation. If you are aware that you are circumventing
> accepted practices for a DC and are willing to accept the risk..that is your
> decision.
>
> My point is still valid, given accepted practice and for security...no user
> has a reason for local access to a DC. Even placing an FTP server on a DC,
> you can still set up your permission to avoid giving local logon access to
> normal users.
>
> If you feel it acceptable risk, It's your system, do as you feel is
> reasonable. I still suggest you research a better solution.
> "rainman" <news.76939@xxxxxxxxxxxxxxxxxxx> wrote in message
> news:pridnRuKYcT1KTTfRVn-jQ@xxxxxxxxxxxxxxxxxxxxxx
>
> There is one reason why a normal user needs logon locally permissions to
> the server: FTP via IIS. If the user needs FTP access to the server, you
> HAVE to give him local logon rights, just because that's the way IIS
> works.
>
> However, it is more likely the answer to this problem lies in my
> previous post in this thread...
>
> zenner wrote:
>
>>There is no reason that a normal user needs to logon to a Domain
>>Controller.
>>Anything he needs should be accessed through an API. Files are access
>>through shares, printers through spooler, applications through whatever
>>API
>>that the app provides. Only members of one of the Admin groups, by
>>default,
>>are allowed Logon rights to a DC. Member servers are an entirely
>>different
>>issue.
>
>>Are we talking about the same thing?
>
>>"zenner" <zenner@xxxxxxxxxxx> wrote in message
>>news:fnIpe.1581$Z44.602@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>
>
>>>Is your DC also serving double duty as possibly a File or Printer server?
>
>>>Your System Administrator may have an explanation, if you are not the
>>>sysAdmin...then ask him or her (respectfully, if possible.) if they knew
>>>about it and/or intended to include domain users in the "logon locally"
>>>permission list, and if so...why?
>
>>>Asked in the right way you may get an explanation that is reasonable,
>>>given the circumstances of your companies environment.
>
>>>Even the best guidelines have exceptions...that's why the are called
>>>Guideline, instead of rules.
>>>"Rebsu" <Rebsu@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>>>news:BD38617E-5A13-4A21-A5D1-A7EB4A732294@xxxxxxxxxxxxxxxx
>
>
>>>>I was looking over our group policy settings while studying for 70-292
>>>>and
>>>>noticed that the group Domain Users is included in the Allow log on
>>>>locally
>>>>setting in the Default Domain Controller Policy. Is this ok or
>>>>dangerous?
>>>>Is it necessary? DCs are 2003 standard.
>
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCqlmv9ZOMhmWO5XkRAj2uAJ9HwgVDvytDad9Kr3mb1+b3zI7EuwCffpxC
ayOuYOk/DP8VgrHn5xj+v0c=
=xon4
-----END PGP SIGNATURE-----
.

Relevant Pages

  • Re: Allow log on locally in Default Domain Controller Policy.
    ... has a reason for local access to a DC. ... Even placing an FTP server on a DC, ... you can still set up your permission to avoid giving local logon access to ... >> There is no reason that a normal user needs to logon to a Domain ...
    (microsoft.public.cert.exam.mcse)
  • Re: EventID 529 Logged 1723 Times in one Day!
    ... David @ Solsletta ... I see this on my machines that run an FTP server. ... Logon Process: IIS ...
    (microsoft.public.windows.server.sbs)
  • Re: Allow log on locally in Default Domain Controller Policy.
    ... There is one reason why a normal user needs logon locally permissions to ... If the user needs FTP access to the server, ... HAVE to give him local logon rights, just because that's the way IIS works. ... > There is no reason that a normal user needs to logon to a Domain Controller. ...
    (microsoft.public.cert.exam.mcse)
  • RE: 25 logon attempts per minute for hours - what is going on?
    ... Clients attempt to logon with the wrong user name or password ... Your server has been attacked as Owen said. ... On the other hand, if the FTP ... If you are using FTP service now, I need an MPS report for further ...
    (microsoft.public.windows.server.sbs)
  • Re: Allow log on locally in Default Domain Controller Policy.
    ... > Personally I suggest not using FTP on a DC at all, because IIS, like IE, ... > be useful unless you're doubling up server duties for lack of cash... ... >> There is one reason why a normal user needs logon locally permissions to ... >>>There is no reason that a normal user needs to logon to a Domain ...
    (microsoft.public.cert.exam.mcse)