|
it
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
More than a domain controllerDoes anyone run any applications on their domain controller(s) or are you
using the server(s) strictly for authentication, DNS, DHCP, etc? Thanks As a general rule I would never use a DC for applications. The primary
reason being that if the application is compromised and is running with local system or an administrator account (very common for applications), you have just been compromised across the entire domain, including all resources, applications and security principals in said domain. Additionally, if the intruder is capable enough, he could potentially execute a domain trust attack and then its the whole forest that is at risk (and any domains/forests that have trusts with sid filtering disabled). Just not a good idea, IMHO. DC's should only run services associated with role of a DC. These include: DHCP, DNS, WINS and NTFRS/DFS. Anything else, including SQL, Exchange and 3rd party applications should run on member servers. -Ned Show quoteHide quote "Frank" <Fr***@discussions.microsoft.com> wrote in message news:BCF44B3D-B854-471F-8149-B7A2E444DF16@microsoft.com... > > Does anyone run any applications on their domain controller(s) or are you > using the server(s) strictly for authentication, DNS, DHCP, etc? > > Thanks Hear...hear!!
Also "best practices" mandates more than one DC.... -- Show quoteHide quoteRegards, Hank Arnold "Ned Gnichtel" <ma***@ntpower.com> wrote in message news:noXye.299$IU1.292@fe11.lga... > As a general rule I would never use a DC for applications. The primary > reason being that if the application is compromised and is running with > local system or an administrator account (very common for applications), > you have just been compromised across the entire domain, including all > resources, applications and security principals in said domain. > Additionally, if the intruder is capable enough, he could potentially > execute a domain trust attack and then its the whole forest that is at > risk (and any domains/forests that have trusts with sid filtering > disabled). > > Just not a good idea, IMHO. DC's should only run services associated with > role of a DC. These include: DHCP, DNS, WINS and NTFRS/DFS. Anything else, > including SQL, Exchange and 3rd party applications should run on member > servers. > > -Ned > > "Frank" <Fr***@discussions.microsoft.com> wrote in message > news:BCF44B3D-B854-471F-8149-B7A2E444DF16@microsoft.com... >> >> Does anyone run any applications on their domain controller(s) or are you >> using the server(s) strictly for authentication, DNS, DHCP, etc? >> >> Thanks > > Good point. One many, for some reason, seem to forget.
-Ned Show quoteHide quote "Hank Arnold" <rasi***@aol.com> wrote in message news:eodTI2sgFHA.3256@TK2MSFTNGP12.phx.gbl... > Hear...hear!! > > Also "best practices" mandates more than one DC.... > > -- > Regards, > Hank Arnold > > "Ned Gnichtel" <ma***@ntpower.com> wrote in message > news:noXye.299$IU1.292@fe11.lga... >> As a general rule I would never use a DC for applications. The primary >> reason being that if the application is compromised and is running with >> local system or an administrator account (very common for applications), >> you have just been compromised across the entire domain, including all >> resources, applications and security principals in said domain. >> Additionally, if the intruder is capable enough, he could potentially >> execute a domain trust attack and then its the whole forest that is at >> risk (and any domains/forests that have trusts with sid filtering >> disabled). >> >> Just not a good idea, IMHO. DC's should only run services associated with >> role of a DC. These include: DHCP, DNS, WINS and NTFRS/DFS. Anything >> else, including SQL, Exchange and 3rd party applications should run on >> member servers. >> >> -Ned >> >> "Frank" <Fr***@discussions.microsoft.com> wrote in message >> news:BCF44B3D-B854-471F-8149-B7A2E444DF16@microsoft.com... >>> >>> Does anyone run any applications on their domain controller(s) or are >>> you >>> using the server(s) strictly for authentication, DNS, DHCP, etc? >>> >>> Thanks >> >> > >  
Other interesting topics
Unidentified Computer in Domain
Preventing Traffic Sniffing /PAE with Windows 2003 Service Pack 1 Cluster Network account continuously locks out! Licensing Questions Researching Windows 2003 Server auditing Import users from tab delimited file Unable to bring up properties pages VPN Issue after applying SP1 for 2003 Server |
|||||||||||||||||||||||
