The logic is you shouldn't be running anything else on your DC. That statement is nebulous. If I compromise WINS and run arbitrary code, I can own your AD. If I compromise DNS and run arbitrary code, I can own your AD. Anything that runs in the context of SYSTEM or NETWORK SERVICE on an RWDC pretty much has unfettered access to AD. By the logic below you shouldn't run DNS or WINS on DCs. If you want to give up AD integrated DNS, go for it...
Thanks, Brian Desmond [email protected] c - 312.731.3132 Active Directory, 4th Ed - http://www.briandesmond.com/ad4/ Microsoft MVP - https://mvp.support.microsoft.com/profile/Brian From: John Hornbuckle [mailto:[email protected]] Sent: Friday, April 24, 2009 11:13 AM To: NT System Admin Issues Subject: RE: Server OS opinion I may be missing something, but that article didn't convince me. It says: "...[I]f you're running your DHCP server on a domain controller then an attacker who compromises your DHCP server gains access to your accounts database and can cause all sorts of further problems." That's true, but that's a big "if." Is this something that's known to happen on a regular enough basis to be a concern? Or is the logic that the attack surface of a DC should be minimized by running absolutely nothing else on it? John Hornbuckle MIS Department Taylor County School District 318 North Clark Street Perry, FL 32347 www.taylor.k12.fl.us<http://www.taylor.k12.fl.us> From: David Lum [mailto:[email protected]] Sent: Friday, April 24, 2009 11:38 AM To: NT System Admin Issues Subject: RE: Server OS opinion Security. http://www.windowsecurity.com/articles/DHCP-Security-Part1.html David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 -----Original Message----- From: Andy Ognenoff [mailto:[email protected]] Sent: Friday, April 24, 2009 8:33 AM To: NT System Admin Issues Subject: RE: Server OS opinion What's the reasoning for no DHCP on a DC - besides the extra stuff you need to do to make DNS updates work correctly? We're a very small shop with only 1 domain/2 DCs and I'm implementing DHCP soon - again, migrating from Netware. - Andy O. ________________________________________ From: Ziots, Edward [mailto:[email protected]] Sent: Thursday, April 23, 2009 3:52 AM To: NT System Admin Issues Subject: RE: Server OS opinion 1) Full Install, with minimal roles, unless core will do it for me and not be an admin headache. 2) Enterprise Edition X64 for E2k7 in a 4 node cluster GEO-Cluster for FT and HA. 3) Domain Controller not with DHCP put that role on a separate server protected, ( Standard Edition) 4) File server, Standard edition, implement file blocking, quotas, and ABE. 5) Always take a minimalist approach, still like gui tools, but if you can do all the stuff from the cmdline or via POSH then you GTG. Z Edward Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I, ME, CCA, Security +, Network + [email protected] Phone:401-639-3505 ________________________________________ From: Ken Schaefer [mailto:[email protected]] Sent: Wednesday, April 22, 2009 8:39 PM To: NT System Admin Issues Subject: RE: Server OS opinion Until Server 2008 R2, there is no .NET Framework with Server Core, so anything that relies on .NET (e.g. Exchange) isn't going to work. Administration via GUI can be done remotely (though I suppose sometimes you have to do things at the console) so no having a gui isn't a big -ve in my opinion. I would add your Hyper-V hosts to a domain to make it easier to manage remotely. Cheers Ken ________________________________________ From: Glen Johnson [[email protected]] Sent: Wednesday, 22 April 2009 10:14 PM To: NT System Admin Issues Subject: Server OS opinion What flavor of server 08 would you choose for these servers? Core or full install. Exchange 07 Domain controller with DHCP. File server for user home directories. In your opinion does the reduced attack surface and fewer patches outweigh the convenience of having the gui tools and such installed? I've also got a couple of hyper v hosts and unless someone can convince me otherwise, core will go on them. Any advice or horror stories appreciated. Glen Johnson LAN Admin Virginia Highlands Community College PO Box 828, Abingdon, VA 24212 phone: (276)739-2467 fax: (276)739-2590 www.vhcc.edu<http://www.vhcc.edu> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
