1. Don't log into servers to do daily work, learn how to do things with remote interfaces. 2. Do not run IE, OE, or pretty much any App interactively on servers. 3. Do not log into workstations with IDs that have admin rights on servers, use RUNAS or scripts that require you to specify the creds, etc. Even avoid fixed drive letters to DCs with admin creds, use UNCs if you want to use NET USE /USER. 4. Do not allow normal users to write to the file systems of a DC. 5. Keep DCs fully patched and do not run unnecessary services.
Quite honestly, you really shouldn't need to run AV software on DCs, there shouldn't be vectors for them to be infected. If they get infected, it usually means an Admin was careless - actually in every case of an infected DC I have investigated it has been an admin being careless. Yes you can put all roles on one DC. In an empty root I would have done it already anyway and would have made all DCs in the empty root GCs most likely as well. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala Sent: Tuesday, March 29, 2005 12:51 PM To: [email protected] Subject: [ActiveDir] AD/ Virus outbreak Hi, I have 3 DC's in a protected root domain and 2 child domains. Unfortunately the 3 root DC's were not running a virus client, totally missed....anyway. Looks like it is using known Windows exploitability to drop files and what not. 2 of the 3 seem to be infected. (ones with the Schema Master & DNM and PDCE) If I have to rebuild can I at least for the interim transfer the above roles on the 3rd DC (with the RIDM and IM)? GC is on 1 & 2 as well. Thanks, List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
