|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: Domain Controller Best Practice - Thanks!
From: Frank Knobbe (frank
knobbe.us)
Date: Sat Feb 26 2005 - 21:59:40 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Thu, 2005-02-24 at 16:00 -0500, Murtland, Jerry wrote:
> I don't think I've heard anyone say that "you are not creating a real
> security risk by allowing your DC to also function as a file server". In
> fact you are. All user authentication is occurring on this system. User
> ID's and Passwords for your entire organization are stored here in the SAM
> file. I would consider this a substantial risk to any IT infrastructure.
But you wouldn't be sharing the "SAM file" now, would you?
Aside from availability/load issues, what security risks are really
present? You have a Domain Controller in your network. Network
authentication is possible/exposed one way or another. One the other
hand, you have a simple file server service files via a share point. Why
can't the domain controller also be sharing files? (Again, focus on
security, not availability concerns. For this example, assume that hosts
has oodles of CPU power and bandwidth, and the share is located on a
separate dive from the AD data.)
Could you please outline some attack vectors that you would not have on
a layout using two servers (one for authentication and one for file
sharing)? Remember, we're talking access to file shares, not local logon
access.
Thanks in advance,
Frank
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)
iD8DBQBCIUWswBQKb2zelzoRAiHkAJ96YPPtCyLZkDcpZ+L/yxZsI+X1TgCeKCPC
rRBvCLLWlRsqx/u8hLhc9Zk=
=a1Pv
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]