Re: Running Tomcat on a webserver that is on a workgroup

[André Warnier]

Leo Donahue - PLANDEVX wrote:

André,


-Original Message-
From: André Warnier [mailto:a...@ice-sa.com]
Subject: Re: Running Tomcat on a webserver that is on a workgroup

There is probably more to it than that.  

All they are going to do is join it to a workgroup.


I don't understand how Tomcat will be able to access resources from
our domain, and vice versa, unless I'm running Tomcat as a local
account, and that same local account is created on the other servers on the 
domain.


It all depends what you mean by resources.  It will still be able to access 
other hosts
via TCP (through the firewall, if the firewall allows it). But it will no 
longer be able
to access shares or windows network printers e.g.

What kind of network resources does your webserver need ?


Windows shares. Otherwise the size of the vm that is my current web server needs to grow in order to support access to certain files, mostly images (over 500 GB), 


or I add the local account from the workgroup to the domain server containing 
the file share.




That, as far as I know, is not possible. Ot let's say that it is at least self-defeating 
(or self-contradictory) : if you add that account to the DC, then it becomes a domain 
account, no ?
(And then of course the rightful question to ask would be what that changes, as compared 
to the current situation).


...




What is the security issue that this change is supposed to cure ?


Other than making administration more difficult, I was hoping someone could tell me.  
Tomcat runs with a least privilege account anyway.  Is this a feel good thing?

On the base of the provided information, it can only give soothing feelings to someone who 
does not really know what they are doing.  Or someone who got some instructions from 
others who do not know what they are talking about (or don't care).  I'm thinking of some 
global diktat like no server than can be accessed from outside should be part of the 
domain, period.


Of course, you can always
- create a local account on the other fileserver which contains the files which you need 
to access

- give that local account permissions to access those files
- and then from your local Tomcat host, net mount that directory, providing the username 
and password of the local account on the fileserver.

(And of course vice-versa if other systems need to access resources on the 
Tomcat host).

But, other than the fact that this is not easy to do if your Tomcat runs as a service, it 
does indeed create a very confusing situation in terms of management, and more security 
holes to boot. (Like the fact that the password would need to be in clear somewhere).


Perhaps you should just wrap up these various considerations and questions and send a memo 
to the responsible people asking if that is really what they want ?


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Running Tomcat on a webserver that is on a workgroup

[André Warnier]

Leo Donahue - PLANDEVX wrote:

I've been informed that our web server is going to be disjoined from the domain 
and placed on a workgroup.  Is this a trend?

There is probably more to it than that.  Perhaps your webserver is being moved to some 
demilitarised zone (DMZ) behind some kind of firewall, and since that firewall will 
probably block SMB/CIFS/NetBios kinds of communications, effectively indeed it will no 
longer be able to participate in a Domain.



I don't understand how Tomcat will be able to access resources from our domain, 
and vice versa, unless I'm running Tomcat as a local account, and that same 
local account is created on the other servers on the domain.

It all depends what you mean by resources.  It will still be able to access other hosts 
via TCP (through the firewall, if the firewall allows it). But it will no longer be able 
to access shares or windows network printers e.g.


What kind of network resources does your webserver need ?


It seems like I'm exploiting one security issue for another.


(trading).
What is the security issue that this change is supposed to cure ?


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Running Tomcat on a webserver that is on a workgroup

[Leo Donahue - PLANDEVX]

André,

-Original Message-
From: André Warnier [mailto:a...@ice-sa.com]
Subject: Re: Running Tomcat on a webserver that is on a workgroup

 There is probably more to it than that.  
All they are going to do is join it to a workgroup.

 I don't understand how Tomcat will be able to access resources from
 our domain, and vice versa, unless I'm running Tomcat as a local
 account, and that same local account is created on the other servers on the 
 domain.

It all depends what you mean by resources.  It will still be able to access 
other hosts
via TCP (through the firewall, if the firewall allows it). But it will no 
longer be able
to access shares or windows network printers e.g.

What kind of network resources does your webserver need ?

Windows shares. Otherwise the size of the vm that is my current web server 
needs to grow in order to support access to certain files, mostly images (over 
500 GB), or I add the local account from the workgroup to the domain server 
containing the file share.

 It seems like I'm exploiting one security issue for another.
(trading).

Yes, trading is a better word.

What is the security issue that this change is supposed to cure ?

Other than making administration more difficult, I was hoping someone could 
tell me.  Tomcat runs with a least privilege account anyway.  Is this a feel 
good thing?

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org