Re: Local admin in Domain Controller?
- From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
- Date: Fri, 12 Jan 2007 01:02:16 -0500
In that specific case Microsoft deemed it "ok" for the small number of users that use the machines simultaneously and the fiscal fact that small companies weren't going to pay for multiple servers just to use Microsoft products so MSFT had to make a decision of whether to sell a product or push the security aspect. Guess which they chose. :)
On the positive, side, not many companies who would run SBS are really that often what would be considered a high risk target. Most people aren't going after Bob's printing shop, not enough gain there and most likely the attacker if it is a structured attack would need to be local to be aware of what to go after. Automated attacks could go against them regardless of location and likely do and that is, quite frankly, a risk Microsoft is willing to take with small business user's environments in order to get them to buy Microsoft products.
In all honesty there aren't many DS experts who consider this ok in general because the AD is the root of security for a Microsoft and often now the entire network through kerberos (I have been in environments where all *nix /Mainframe machines were all kerberized and used AD). Every additional service/application running on a DC which exposes an interface is an additional attack vector that you have to worry about. This also goes for AV software, monitoring software, etc. I know of many UNIX admins who feel the same about UNIX machines that offer CA or KDC services.
Again back to SBS, that one DC *is* most likely in most cases your entire server infrastructure network so if you compromise the machine you compromised everything there likely was to compromise anyway.
You run SQL on a DC and one simple little compromise in SQL could give away the keys to your whole domain which is a small step to the keys to the enterprise... not that there have ever been any SQL Security holes.... I also know of one monitoring app that has an anonymous remote exploit hole currently, send the right packet sequence to the right port and voila, you do what you want as LocalSystem. DCs should be locked down to running a minimum of services. However, it is up to everyone to judge their own risks and the amount of compensation they are willing to put towards them either in real money and tools and simply in compensating controls.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Jack Doyle wrote:
Paul,.
I certainly wouldn't run SQL on a DC, and I wouldn't recommend running
Exchange on one either. However, Microsoft seems to think that it is
okay to run BOTH on the SAME DC (SBS). Of course, do as they say, not
as they do, right?
Anyways, he probably doesn't have much of a choice, as you said.
Jack Doyle, Systems Engineer
ScriptLogic Corporation
www.scriptlogic.com
Paul Williams [MVP] wrote:Normally I'd state that you shouldn't be running SQL on a DC. You wouldn't
have this issue then. However if you're a smaller shop then sometimes you
don't control this stuff so I won't say anything about that...
- References:
- Local admin in Domain Controller?
- From: Jay@HK
- Re: Local admin in Domain Controller?
- From: Paul Williams [MVP]
- Re: Local admin in Domain Controller?
- From: Jack Doyle
- Local admin in Domain Controller?
- Prev by Date: Re: ADAM Failing after about 1 month each time.
- Next by Date: Re: LDAP Bind and trust domain
- Previous by thread: Re: Local admin in Domain Controller?
- Next by thread: Re: DNS Zones not created
- Index(es):
Relevant Pages
|
