RE: Windows 2k Advanced Server Hardening

[ROTTENBERG,HAL \(HP-USA,ex1\)]

You don't want to make it a PDC, or whatever for W2k because then if the
system is compromised, then a hacker would in theory have access to your
user database.  For similar reasons you frequently will not make servers in
your DMZ a member of your global domains.  You separate them with limited or
no trust relationships so that if someone does for instance gain
administrator privs on a webserver, they are not then able to gain Domain
Admin access.

And then the other reason, as Wesley said--why bother?  Keep It Simple.

Hal Rottenberg             | Hewlett-Packard
Technical Support Engineer | Phone: +1-404-774-4041
Internet Security Division | Email: [EMAIL PROTECTED]

Web: http://www.hp.com/security

> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Friday, September 15, 2000 4:11 PM
> To: Noonan, Wesley; [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: RE: Windows 2k Advanced Server Hardening
> 
> 
> Why not make it a PDC ??
> 
> /mark
> 
> At 03:06 PM 9/15/00 -0500, Noonan, Wesley wrote:
> >Why make it a domain controller then? Also, what would the 
> need be for
> >Microsoft authentication on it? Can you choose another authentication
> >scheme? If so, you will find it much easier to harden.
> >
> >Another option though, that sounds better to me, would be to 
> put it behind a
> >firewall and either VPN and/or terminal serve into it. This 
> should go a long
> >way towards keeping the unwanted visitor out.
> >
> >Good luck!!
> >
> >Wes Noonan, MCP+I/MCSE/MCT/CCNA/NNCSS
> >Senior QA Rep
> >(713) 918-2412
> >BMC Software, Inc.
> >[EMAIL PROTECTED]
> >http://www.bmc.com
> >
> >  -----Original Message-----
> >From:   [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED]]
> >Sent:   Friday, September 15, 2000 14:56
> >To:     [EMAIL PROTECTED]
> >Cc:     [EMAIL PROTECTED]
> >Subject:        RE: Windows 2k Advanced Server Hardening
> >
> >Actually the Win 2k Advanced Server would be used for collaborative
> >engineering over the WWW.  Custom development tools or source
> >check-in/check-out similiar to a couple of small start-ups 
> in the valley
> >here.
> >
> >/m
> >
> >At 12:45 PM 9/15/00 -0600, ROTTENBERG,HAL \(HP-USA,ex1\) wrote:
> > >You didn't plan to expose your PDC to the Internet---I 
> hope.  That's my
> > >first recommendation.
> > >
> > >Assuming that's the case, then many of the suggestions you 
> would find on
> > >this list wouldn't be applicable.
> >
> >-
> >[To unsubscribe, send mail to [EMAIL PROTECTED] with
> >"unsubscribe firewalls" in the body of the message.]
> 
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
> 
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]