| Author | Messages | |
rmscheck
Posts:245
 | | 09/26/2009 5:04 AM |
| Hey folks,
I am trying to make a business case to limit the amount of "fluff" on
our DCs.. We have many remote sites that unfortunately have limiting
restraints on how many servers we can deploy etc. We basically have
room for 1-2 servers (usually just 1) so what ends up happening is
every service (DHCP, WINS, File/Print, IIS, WSUS downstream,SMS Distro
point, etc) and third party app/svc ends up on the lone DC in the
branch. I know for some this is a necessary evil, but theres got be
other ways (I'm toying with virtualizing..). Because we stack so many
svcs on the DC, we end up having way too many Domain Admins, because
for the most part, they need to be a DA in order to logon to DCs to
admin all the rest of the services.
I'm curious to hear other people's experiences.. and perhaps some
resources/links that speak to securing DCs by limiting this sort of
use.
I'm from the camp that says the number of DAs should be very limited
and things installed on a DC should be kept to a minimum but pundits
argue that its only best practice and not practical. Am I just
overcompensating and paranoid?
Thanks for any help you can provide.
Rand
| | | |
| bdesmond
Posts:977
| | 09/26/2009 5:35 AM |
| It's perfectly practical if you're willing to make the investment.
Look at tossing a HyperV/ESX box at each branch - IMO it helps a lot with this scenario.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
-----Original Message-----
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Rand Salazar
Sent: Friday, September 25, 2009 11:03 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Secure DCs Why?
Hey folks,
I am trying to make a business case to limit the amount of "fluff" on our DCs.. We have many remote sites that unfortunately have limiting restraints on how many servers we can deploy etc. We basically have room for 1-2 servers (usually just 1) so what ends up happening is every service (DHCP, WINS, File/Print, IIS, WSUS downstream,SMS Distro point, etc) and third party app/svc ends up on the lone DC in the branch. I know for some this is a necessary evil, but theres got be other ways (I'm toying with virtualizing..).. Because we stack so many svcs on the DC, we end up having way too many Domain Admins, because for the most part, they need to be a DA in order to logon to DCs to admin all the rest of the services.
I'm curious to hear other people's experiences.. and perhaps some resources/links that speak to securing DCs by limiting this sort of use.
I'm from the camp that says the number of DAs should be very limited and things installed on a DC should be kept to a minimum but pundits argue that its only best practice and not practical. Am I just overcompensating and paranoid?
Thanks for any help you can provide.
Rand
| | | |
| rmscheck
Posts:245
| | 09/26/2009 5:47 AM |
| Yea, that's sort of what I am proposing, but one of the arguments is
that it will be X times (depending on how many virtualized) the amt of
licensing (not for Windows, thx MS) but for the various base installed
apps like AV, any sort of Mgmt CAL, increased server count, mgmt
overhead, etc.
The angle I am trying to come from is that DCs are critical pieces in
the Windows network that should have security first and foremost...
and that running them in this manner puts us at great risk. I am
searching for good security recommendations on DCs that point to this.
I have found some on Technet that speak to minimizing the services on
a DC but no hard and fast rule that speak to risks. I suppose it will
come down to the actual added cost of running multiple servers to
break up the services VS. the security.
Any other tips?
On Fri, Sep 25, 2009 at 11:32 PM, Brian Desmond <brian@briandesmond.com> wrote:
> It's perfectly practical if you're willing to make the investment.
>
> Look at tossing a HyperV/ESX box at each branch - IMO it helps a lot with this scenario.
>
> Thanks,
> Brian Desmond
> brian@briandesmond.com
>
> c - 312.731.3132
>
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Rand Salazar
> Sent: Friday, September 25, 2009 11:03 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Secure DCs Why?
>
> Hey folks,
>
> I am trying to make a business case to limit the amount of "fluff" on our DCs.. We have many remote sites that unfortunately have limiting restraints on how many servers we can deploy etc. We basically have room for 1-2 servers (usually just 1) so what ends up happening is every service (DHCP, WINS, File/Print, IIS, WSUS downstream,SMS Distro point, etc) and third party app/svc ends up on the lone DC in the branch. I know for some this is a necessary evil, but theres got be other ways (I'm toying with virtualizing..).. Because we stack so many svcs on the DC, we end up having way too many Domain Admins, because for the most part, they need to be a DA in order to logon to DCs to admin all the rest of the services.
>
> I'm curious to hear other people's experiences.. and perhaps some resources/links that speak to securing DCs by limiting this sort of use.
>
> I'm from the camp that says the number of DAs should be very limited and things installed on a DC should be kept to a minimum but pundits argue that its only best practice and not practical. Am I just overcompensating and paranoid?
>
> Thanks for any help you can provide.
> Rand
>
>
>
| | | |
| andrew
Posts:77
| | 09/26/2009 10:37 AM |
| Hi Rand,
I would think there is a case here for having two servers in the remote
sites, and I have successfully implemented this for similar scenarios:
1. DC server, preferably running Windows Server 2008 server core or
physically secured. This can be a low-spec machine. Only required Domain
Admins can manage this.
2. Application/infrastructure server, running whatever OS as is required for
the items mentioned, presumably Windows Server 2003 / 2008. A reasonably
high spec machine.
I think you'll find you'll be able to bring this into a very similar budget
range to the all-in-one server solution and it fully addresses your DC
security concerns.
There are definitely Microsoft guidelines on DC security, even just mixing
this with DHCP, let alone all the other services you mentioned.
I hope this helps. I know virtualisation is the buzz-word of the moment, but
let's not forget simpler solutions where appropriate. Unless others here
disagree..?
Kind regards,
*Andrew Levicki* MCITP MCSA MCTS MCP
andrewlevicki.info <http://www.andrewlevicki.info/>
2009/9/26 Rand Salazar <rmscheck08@gmail.com>
> Yea, that's sort of what I am proposing, but one of the arguments is
> that it will be X times (depending on how many virtualized) the amt of
> licensing (not for Windows, thx MS) but for the various base installed
> apps like AV, any sort of Mgmt CAL, increased server count, mgmt
> overhead, etc.
>
> The angle I am trying to come from is that DCs are critical pieces in
> the Windows network that should have security first and foremost...
> and that running them in this manner puts us at great risk. I am
> searching for good security recommendations on DCs that point to this.
> I have found some on Technet that speak to minimizing the services on
> a DC but no hard and fast rule that speak to risks. I suppose it will
> come down to the actual added cost of running multiple servers to
> break up the services VS. the security.
>
> Any other tips?
>
>
> On Fri, Sep 25, 2009 at 11:32 PM, Brian Desmond <brian@briandesmond.com>
> wrote:
> > It's perfectly practical if you're willing to make the investment.
> >
> > Look at tossing a HyperV/ESX box at each branch - IMO it helps a lot with
> this scenario.
> >
> > Thanks,
> > Brian Desmond
> > brian@briandesmond.com
> >
> > c - 312.731.3132
> >
> >
> > -----Original Message-----
> > From: activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] On Behalf Of Rand Salazar
> > Sent: Friday, September 25, 2009 11:03 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: [ActiveDir] Secure DCs Why?
> >
> > Hey folks,
> >
> > I am trying to make a business case to limit the amount of "fluff" on our
> DCs.. We have many remote sites that unfortunately have limiting restraints
> on how many servers we can deploy etc. We basically have room for 1-2
> servers (usually just 1) so what ends up happening is every service (DHCP,
> WINS, File/Print, IIS, WSUS downstream,SMS Distro point, etc) and third
> party app/svc ends up on the lone DC in the branch. I know for some this is
> a necessary evil, but theres got be other ways (I'm toying with
> virtualizing..).. Because we stack so many svcs on the DC, we end up having
> way too many Domain Admins, because for the most part, they need to be a DA
> in order to logon to DCs to admin all the rest of the services.
> >
> > I'm curious to hear other people's experiences.. and perhaps some
> resources/links that speak to securing DCs by limiting this sort of use.
> >
> > I'm from the camp that says the number of DAs should be very limited and
> things installed on a DC should be kept to a minimum but pundits argue that
> its only best practice and not practical. Am I just overcompensating and
> paranoid?
> >
> > Thanks for any help you can provide.
> > Rand
> >
> >
> >
>
>
| | | |
| gabriel/tfi
Posts:425
| | 09/26/2009 5:11 PM |
| The following is our model to provide the required level of segregation of
DAs\SAs (Domain Admins \ Server Admins) and to assure a good level of AD
availability:
a) small sites do not have a local DC (say <50/70 users), they use DCs
located at HUB site over the WAN link within the same region. Small sites
are those like the one you cited that have room for 1-2 servers. Same
concept applies to any APP, whatever can be centralized in the HUB site, it
is. The exceptions are usually services hosted on a single server at the
remote site (e.g. file/print server, distribution point, etc..).
b) we often use ESX (free or priced) at bigger sites to host a DC/DNS to
curb costs. They are small VMs (1GB RAM, 20GB HDD) that are not so much
resource demanding as they are DC/DNS only, or IAS in certain cases. HUB DCs
work as backup-up if a local DC goes down.
c) all DCs are maintained and supported by a small team of Domain Admins
whose members are spread across the 3 regions. Because DCs are DC/DNS only
and changes are applied to DCs through a standard process, the environment
is "well known" and pretty manageable thus they don't face issues that might
be caused by other non-DA admins.
DCs are seen as pieces of "enterprise infrastructure" managed by an
"enterprise team" just like routers are centrally managed by the enterprise
Networking Team, nobody else can mess-up a router config, the same is for
AD.
We run Win2K3, but Win2K8 should allow you to put a DC role onto a
multi-purpose server by allowing local Admins to manage the server w/o
Domain Admins privileges (this does not solve the service availability issue
anyway).
AD is the core of security, Domain Admins have the keys to change AD
objects, AD security and manage any machine across the domain - or better we
should talk about Enterprise Admins managing the whole Forest. On the other
hand, Server Admins should be granted authorization to the resources (say
"delegated") they are required to manage only (aka "service/data autonomy")
according to the least privilege principle.
In few words, it's just a question of security and service availability. You
might find something useful in the following readings:
http://go.microsoft.com/fwlink/?LinkId=140862
http://www.microsoft.com/downloads/details.aspx?familyid=631747a3-79e1-48fa-
9730-dae7c0a1d6d3&displaylang=en
Regards - Gabriele.
> -----Original Message-----
> From: activedir-owner@mail.activedir.org [mailto:activedir-
> owner@mail.activedir.org] On Behalf Of Rand Salazar
> Sent: sabato 26 settembre 2009 6:03
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Secure DCs Why?
>
> Hey folks,
>
> I am trying to make a business case to limit the amount of "fluff" on
> our DCs.. We have many remote sites that unfortunately have limiting
> restraints on how many servers we can deploy etc. We basically have
> room for 1-2 servers (usually just 1) so what ends up happening is
> every service (DHCP, WINS, File/Print, IIS, WSUS downstream,SMS Distro
> point, etc) and third party app/svc ends up on the lone DC in the
> branch. I know for some this is a necessary evil, but theres got be
> other ways (I'm toying with virtualizing..). Because we stack so many
> svcs on the DC, we end up having way too many Domain Admins, because
> for the most part, they need to be a DA in order to logon to DCs to
> admin all the rest of the services.
>
> I'm curious to hear other people's experiences.. and perhaps some
> resources/links that speak to securing DCs by limiting this sort of
> use.
>
> I'm from the camp that says the number of DAs should be very limited
> and things installed on a DC should be kept to a minimum but pundits
> argue that its only best practice and not practical. Am I just
> overcompensating and paranoid?
>
> Thanks for any help you can provide.
> Rand
| | | |
| gabriel/tfi
Posts:425
| | 09/26/2009 6:20 PM |
| In an ideal world a physical machine is preferable for a DC role from either
a security or availability view point, if we think that VM software might
interact as "Local System" on a DC (=AD Adminstator privilege) or the
administrator of the virtual infrastructure might harm the DC or AD (e.g.
the virtual infrastructure is crashed and the DC is unavailable or a
malfunctioning DC is recovered from a past VM snapshot w/o Domain Admns
being notified...).
The reality might be slightly different as - for example - 100 virtualized
DCs might be worth 70K saving per year and this is something company likes
to hear today.
That said, I believe Virtual DC is not the ideal condition, but it's far
better than mixing DC/DNS with other server roles and giving out DA
credentials to any server admin who uses a DC as a multi-purpose machine.
Cheers - Gabriele.
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Andrew Levicki
Sent: sabato 26 settembre 2009 11:35
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Secure DCs Why?
Hi Rand,
I would think there is a case here for having two servers in the remote
sites, and I have successfully implemented this for similar scenarios:
1. DC server, preferably running Windows Server 2008 server core or
physically secured. This can be a low-spec machine. Only required Domain
Admins can manage this.
2. Application/infrastructure server, running whatever OS as is required for
the items mentioned, presumably Windows Server 2003 / 2008. A reasonably
high spec machine.
I think you'll find you'll be able to bring this into a very similar budget
range to the all-in-one server solution and it fully addresses your DC
security concerns.
There are definitely Microsoft guidelines on DC security, even just mixing
this with DHCP, let alone all the other services you mentioned.
I hope this helps. I know virtualisation is the buzz-word of the moment, but
let's not forget simpler solutions where appropriate. Unless others here
disagree..?
Kind regards,
Andrew Levicki MCITP MCSA MCTS MCP
andrewlevicki.info <http://www.andrewlevicki.info/>
<http://farm3.static.flickr.com/2586/3936505603_736d478d12.jpg>
2009/9/26 Rand Salazar <rmscheck08@gmail.com>
Yea, that's sort of what I am proposing, but one of the arguments is
that it will be X times (depending on how many virtualized) the amt of
licensing (not for Windows, thx MS) but for the various base installed
apps like AV, any sort of Mgmt CAL, increased server count, mgmt
overhead, etc.
The angle I am trying to come from is that DCs are critical pieces in
the Windows network that should have security first and foremost...
and that running them in this manner puts us at great risk. I am
searching for good security recommendations on DCs that point to this.
I have found some on Technet that speak to minimizing the services on
a DC but no hard and fast rule that speak to risks. I suppose it will
come down to the actual added cost of running multiple servers to
break up the services VS. the security.
Any other tips?
On Fri, Sep 25, 2009 at 11:32 PM, Brian Desmond <brian@briandesmond.com>
wrote:
> It's perfectly practical if you're willing to make the investment.
>
> Look at tossing a HyperV/ESX box at each branch - IMO it helps a lot with
this scenario.
>
> Thanks,
> Brian Desmond
> brian@briandesmond.com
>
> c - 312.731.3132
>
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org
<mailto:activedir-owner@mail..activedir.org> ] On Behalf Of Rand Salazar
> Sent: Friday, September 25, 2009 11:03 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Secure DCs Why?
>
> Hey folks,
>
> I am trying to make a business case to limit the amount of "fluff" on our
DCs.. We have many remote sites that unfortunately have limiting restraints
on how many servers we can deploy etc. We basically have room for 1-2
servers (usually just 1) so what ends up happening is every service (DHCP,
WINS, File/Print, IIS, WSUS downstream,SMS Distro point, etc) and third
party app/svc ends up on the lone DC in the branch. I know for some this is
a necessary evil, but theres got be other ways (I'm toying with
virtualizing..).. Because we stack so many svcs on the DC, we end up having
way too many Domain Admins, because for the most part, they need to be a DA
in order to logon to DCs to admin all the rest of the services.
>
> I'm curious to hear other people's experiences.. and perhaps some
resources/links that speak to securing DCs by limiting this sort of use..
>
> I'm from the camp that says the number of DAs should be very limited and
things installed on a DC should be kept to a minimum but pundits argue that
its only best practice and not practical. Am I just overcompensating and
paranoid?
>
> Thanks for any help you can provide.
> Rand
>
>
>
| | | |
| rmscheck
Posts:245
| | 09/26/2009 8:12 PM |
| Thanks for your insight.. how do you folks justify the added number
of servers that now need to be managed if you run ESX? Added patching
population, administration etc..
On Sat, Sep 26, 2009 at 10:59 AM, Gabriele Scolaro <gabro@gabro.net> wrote:
> The following is our model to provide the required level of segregation of
> DAs\SAs (Domain Admins \ Server Admins) and to assure a good level of AD
> availability:
>
> a) small sites do not have a local DC (say <50/70 users), they use DCs
> located at HUB site over the WAN link within the same region. Small sites
> are those like the one you cited that have room for 1-2 servers. Same
> concept applies to any APP, whatever can be centralized in the HUB site, it
> is. The exceptions are usually services hosted on a single server at the
> remote site (e.g. file/print server, distribution point, etc..).
>
> b) we often use ESX (free or priced) at bigger sites to host a DC/DNS to
> curb costs. They are small VMs (1GB RAM, 20GB HDD) that are not so much
> resource demanding as they are DC/DNS only, or IAS in certain cases. HUB DCs
> work as backup-up if a local DC goes down.
>
> c) all DCs are maintained and supported by a small team of Domain Admins
> whose members are spread across the 3 regions. Because DCs are DC/DNS only
> and changes are applied to DCs through a standard process, the environment
> is "well known" and pretty manageable thus they don't face issues that might
> be caused by other non-DA admins.
> DCs are seen as pieces of "enterprise infrastructure" managed by an
> "enterprise team" just like routers are centrally managed by the enterprise
> Networking Team, nobody else can mess-up a router config, the same is for
> AD.
>
> We run Win2K3, but Win2K8 should allow you to put a DC role onto a
> multi-purpose server by allowing local Admins to manage the server w/o
> Domain Admins privileges (this does not solve the service availability issue
> anyway).
>
> AD is the core of security, Domain Admins have the keys to change AD
> objects, AD security and manage any machine across the domain - or better we
> should talk about Enterprise Admins managing the whole Forest. On the other
> hand, Server Admins should be granted authorization to the resources (say
> "delegated") they are required to manage only (aka "service/data autonomy")
> according to the least privilege principle.
>
> In few words, it's just a question of security and service availability. You
> might find something useful in the following readings:
> http://go.microsoft.com/fwlink/?LinkId=140862
> http://www.microsoft.com/downloads/details.aspx?familyid=631747a3-79e1-48fa-
> 9730-dae7c0a1d6d3&displaylang=en
>
> Regards - Gabriele.
>
>> -----Original Message-----
>> From: activedir-owner@mail.activedir.org [mailto:activedir-
>> owner@mail.activedir.org] On Behalf Of Rand Salazar
>> Sent: sabato 26 settembre 2009 6:03
>> To: ActiveDir@mail.activedir.org
>> Subject: [ActiveDir] Secure DCs Why?
>>
>> Hey folks,
>>
>> I am trying to make a business case to limit the amount of "fluff" on
>> our DCs.. We have many remote sites that unfortunately have limiting
>> restraints on how many servers we can deploy etc. We basically have
>> room for 1-2 servers (usually just 1) so what ends up happening is
>> every service (DHCP, WINS, File/Print, IIS, WSUS downstream,SMS Distro
>> point, etc) and third party app/svc ends up on the lone DC in the
>> branch. I know for some this is a necessary evil, but theres got be
>> other ways (I'm toying with virtualizing..). Because we stack so many
>> svcs on the DC, we end up having way too many Domain Admins, because
>> for the most part, they need to be a DA in order to logon to DCs to
>> admin all the rest of the services.
>>
>> I'm curious to hear other people's experiences.. and perhaps some
>> resources/links that speak to securing DCs by limiting this sort of
>> use.
>>
>> I'm from the camp that says the number of DAs should be very limited
>> and things installed on a DC should be kept to a minimum but pundits
>> argue that its only best practice and not practical. Am I just
>> overcompensating and paranoid?
>>
>> Thanks for any help you can provide.
>> Rand
>
>
>
>
| | | |
| bdesmond
Posts:977
| | 09/26/2009 8:25 PM |
| The extra overhead is the ESX servers because you're going to need to manage them en masse.
The additional servers by way of VMs should be practically zero overhead if you have good processes and aren't doing manual labor (e.g. you've scripted things). This is one good argument for HyperV as you can _very_ easily extend your existing Wintel management practices to the host machines here.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
-----Original Message-----
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Rand Salazar
Sent: Saturday, September 26, 2009 2:12 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Secure DCs Why?
Thanks for your insight.. how do you folks justify the added number
of servers that now need to be managed if you run ESX? Added patching population, administration etc..
On Sat, Sep 26, 2009 at 10:59 AM, Gabriele Scolaro <gabro@gabro.net> wrote:
> The following is our model to provide the required level of
> segregation of DAs\SAs (Domain Admins \ Server Admins) and to assure a
> good level of AD
> availability:
>
> a) small sites do not have a local DC (say <50/70 users), they use DCs
> located at HUB site over the WAN link within the same region. Small
> sites are those like the one you cited that have room for 1-2 servers.
> Same concept applies to any APP, whatever can be centralized in the
> HUB site, it is. The exceptions are usually services hosted on a
> single server at the remote site (e.g. file/print server, distribution point, etc..).
>
> b) we often use ESX (free or priced) at bigger sites to host a DC/DNS
> to curb costs. They are small VMs (1GB RAM, 20GB HDD) that are not so
> much resource demanding as they are DC/DNS only, or IAS in certain
> cases. HUB DCs work as backup-up if a local DC goes down.
>
> c) all DCs are maintained and supported by a small team of Domain
> Admins whose members are spread across the 3 regions. Because DCs are
> DC/DNS only and changes are applied to DCs through a standard process,
> the environment is "well known" and pretty manageable thus they don't
> face issues that might be caused by other non-DA admins.
> DCs are seen as pieces of "enterprise infrastructure" managed by an
> "enterprise team" just like routers are centrally managed by the
> enterprise Networking Team, nobody else can mess-up a router config,
> the same is for AD.
>
> We run Win2K3, but Win2K8 should allow you to put a DC role onto a
> multi-purpose server by allowing local Admins to manage the server w/o
> Domain Admins privileges (this does not solve the service availability
> issue anyway).
>
> AD is the core of security, Domain Admins have the keys to change AD
> objects, AD security and manage any machine across the domain - or
> better we should talk about Enterprise Admins managing the whole
> Forest. On the other hand, Server Admins should be granted
> authorization to the resources (say
> "delegated") they are required to manage only (aka "service/data
> autonomy") according to the least privilege principle.
>
> In few words, it's just a question of security and service
> availability. You might find something useful in the following readings:
> http://go.microsoft.com/fwlink/?LinkId=140862
> http://www.microsoft.com/downloads/details.aspx?familyid=631747a3-79e1
> -48fa-
> 9730-dae7c0a1d6d3&displaylang=en
>
> Regards - Gabriele.
>
>> -----Original Message-----
>> From: activedir-owner@mail.activedir.org [mailto:activedir-
>> owner@mail.activedir.org] On Behalf Of Rand Salazar
>> Sent: sabato 26 settembre 2009 6:03
>> To: ActiveDir@mail.activedir.org
>> Subject: [ActiveDir] Secure DCs Why?
>>
>> Hey folks,
>>
>> I am trying to make a business case to limit the amount of "fluff" on
>> our DCs.. We have many remote sites that unfortunately have limiting
>> restraints on how many servers we can deploy etc. We basically have
>> room for 1-2 servers (usually just 1) so what ends up happening is
>> every service (DHCP, WINS, File/Print, IIS, WSUS downstream,SMS
>> Distro point, etc) and third party app/svc ends up on the lone DC in
>> the branch. I know for some this is a necessary evil, but theres got
>> be other ways (I'm toying with virtualizing..). Because we stack so
>> many svcs on the DC, we end up having way too many Domain Admins,
>> because for the most part, they need to be a DA in order to logon to
>> DCs to admin all the rest of the services.
>>
>> I'm curious to hear other people's experiences.. and perhaps some
>> resources/links that speak to securing DCs by limiting this sort of
>> use.
>>
>> I'm from the camp that says the number of DAs should be very limited
>> and things installed on a DC should be kept to a minimum but pundits
>> argue that its only best practice and not practical. Am I just
>> overcompensating and paranoid?
>>
>> Thanks for any help you can provide.
>> Rand
>
>
>
>
| | | |
| rmscheck
Posts:245
| | 09/26/2009 8:41 PM |
| Indeed.. looking at Hyper-V and even taking it a bit further by
managing them all via SCVMM even! You are correct though, our current
patching and administrative processes will definitely not hold up when
we add 100 new VMs to the environment. However, I dont believe that
should be an excuse not to shore up our weaknesses there so that we
could support that level of serves. I dont think the side effect of
increased sys mgmt is enough to not justify the service segregation
and security we would gain. But then again thats a executive
decision I suppose heh..
Aside from the sys mgmt aspect, I think the biggest fight I face is
the added licensing.. our typical server base has antivirus, backup
agents, etc.. With the multiplication of servers via virtualization
that increases the cost for each.
I guess many businesses dont seem to realize the importance of AD/DC
security and feel its just another server..
On Sat, Sep 26, 2009 at 2:22 PM, Brian Desmond <brian@briandesmond.com> wrote:
> The extra overhead is the ESX servers because you're going to need to manage them en masse.
>
> The additional servers by way of VMs should be practically zero overhead if you have good processes and aren't doing manual labor (e.g. you've scripted things). This is one good argument for HyperV as you can _very_ easily extend your existing Wintel management practices to the host machines here.
>
> Thanks,
> Brian Desmond
> brian@briandesmond.com
>
> c - 312.731.3132
>
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Rand Salazar
> Sent: Saturday, September 26, 2009 2:12 PM
> To: activedir@mail.activedir.org
> Subject: Re: [ActiveDir] Secure DCs Why?
>
> Thanks for your insight.. how do you folks justify the added number
> of servers that now need to be managed if you run ESX? Added patching population, administration etc..
>
>
>
> On Sat, Sep 26, 2009 at 10:59 AM, Gabriele Scolaro <gabro@gabro.net> wrote:
>> The following is our model to provide the required level of
>> segregation of DAs\SAs (Domain Admins \ Server Admins) and to assure a
>> good level of AD
>> availability:
>>
>> a) small sites do not have a local DC (say <50/70 users), they use DCs
>> located at HUB site over the WAN link within the same region. Small
>> sites are those like the one you cited that have room for 1-2 servers.
>> Same concept applies to any APP, whatever can be centralized in the
>> HUB site, it is. The exceptions are usually services hosted on a
>> single server at the remote site (e.g. file/print server, distribution point, etc..).
>>
>> b) we often use ESX (free or priced) at bigger sites to host a DC/DNS
>> to curb costs. They are small VMs (1GB RAM, 20GB HDD) that are not so
>> much resource demanding as they are DC/DNS only, or IAS in certain
>> cases. HUB DCs work as backup-up if a local DC goes down.
>>
>> c) all DCs are maintained and supported by a small team of Domain
>> Admins whose members are spread across the 3 regions. Because DCs are
>> DC/DNS only and changes are applied to DCs through a standard process,
>> the environment is "well known" and pretty manageable thus they don't
>> face issues that might be caused by other non-DA admins.
>> DCs are seen as pieces of "enterprise infrastructure" managed by an
>> "enterprise team" just like routers are centrally managed by the
>> enterprise Networking Team, nobody else can mess-up a router config,
>> the same is for AD.
>>
>> We run Win2K3, but Win2K8 should allow you to put a DC role onto a
>> multi-purpose server by allowing local Admins to manage the server w/o
>> Domain Admins privileges (this does not solve the service availability
>> issue anyway).
>>
>> AD is the core of security, Domain Admins have the keys to change AD
>> objects, AD security and manage any machine across the domain - or
>> better we should talk about Enterprise Admins managing the whole
>> Forest. On the other hand, Server Admins should be granted
>> authorization to the resources (say
>> "delegated") they are required to manage only (aka "service/data
>> autonomy") according to the least privilege principle.
>>
>> In few words, it's just a question of security and service
>> availability. You might find something useful in the following readings:
>> http://go.microsoft.com/fwlink/?LinkId=140862
>> http://www.microsoft.com/downloads/details.aspx?familyid=631747a3-79e1
>> -48fa-
>> 9730-dae7c0a1d6d3&displaylang=en
>>
>> Regards - Gabriele.
>>
>>> -----Original Message-----
>>> From: activedir-owner@mail.activedir.org [mailto:activedir-
>>> owner@mail.activedir.org] On Behalf Of Rand Salazar
>>> Sent: sabato 26 settembre 2009 6:03
>>> To: ActiveDir@mail.activedir.org
>>> Subject: [ActiveDir] Secure DCs Why?
>>>
>>> Hey folks,
>>>
>>> I am trying to make a business case to limit the amount of "fluff" on
>>> our DCs.. We have many remote sites that unfortunately have limiting
>>> restraints on how many servers we can deploy etc. We basically have
>>> room for 1-2 servers (usually just 1) so what ends up happening is
>>> every service (DHCP, WINS, File/Print, IIS, WSUS downstream,SMS
>>> Distro point, etc) and third party app/svc ends up on the lone DC in
>>> the branch. I know for some this is a necessary evil, but theres got
>>> be other ways (I'm toying with virtualizing..). Because we stack so
>>> many svcs on the DC, we end up having way too many Domain Admins,
>>> because for the most part, they need to be a DA in order to logon to
>>> DCs to admin all the rest of the services.
>>>
>>> I'm curious to hear other people's experiences.. and perhaps some
>>> resources/links that speak to securing DCs by limiting this sort of
>>> use.
>>>
>>> I'm from the camp that says the number of DAs should be very limited
>>> and things installed on a DC should be kept to a minimum but pundits
>>> argue that its only best practice and not practical. Am I just
>>> overcompensating and paranoid?
>>>
>>> Thanks for any help you can provide.
>>> Rand
>>
>>
>>
>>
>
>
>
| | | |
| bdesmond
Posts:977
| | 09/26/2009 9:05 PM |
| Pull some of the per-server licensed items off the DCs that aren't necessary? Aside from A/V and a monitoring agent, what else do you need?
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
-----Original Message-----
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Rand Salazar
Sent: Saturday, September 26, 2009 2:40 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Secure DCs Why?
Indeed.. looking at Hyper-V and even taking it a bit further by managing them all via SCVMM even! You are correct though, our current patching and administrative processes will definitely not hold up when we add 100 new VMs to the environment. However, I dont believe that should be an excuse not to shore up our weaknesses there so that we could support that level of serves. I dont think the side effect of increased sys mgmt is enough to not justify the service segregation
and security we would gain. But then again thats a executive
decision I suppose heh..
Aside from the sys mgmt aspect, I think the biggest fight I face is the added licensing.. our typical server base has antivirus, backup agents, etc.. With the multiplication of servers via virtualization that increases the cost for each.
I guess many businesses dont seem to realize the importance of AD/DC security and feel its just another server..
On Sat, Sep 26, 2009 at 2:22 PM, Brian Desmond <brian@briandesmond.com> wrote:
> The extra overhead is the ESX servers because you're going to need to manage them en masse.
>
> The additional servers by way of VMs should be practically zero overhead if you have good processes and aren't doing manual labor (e.g. you've scripted things). This is one good argument for HyperV as you can _very_ easily extend your existing Wintel management practices to the host machines here.
>
> Thanks,
> Brian Desmond
> brian@briandesmond.com
>
> c - 312.731.3132
>
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Rand Salazar
> Sent: Saturday, September 26, 2009 2:12 PM
> To: activedir@mail.activedir.org
> Subject: Re: [ActiveDir] Secure DCs Why?
>
> Thanks for your insight.. how do you folks justify the added number
> of servers that now need to be managed if you run ESX? Added patching population, administration etc..
>
>
>
> On Sat, Sep 26, 2009 at 10:59 AM, Gabriele Scolaro <gabro@gabro.net> wrote:
>> The following is our model to provide the required level of
>> segregation of DAs\SAs (Domain Admins \ Server Admins) and to assure
>> a good level of AD
>> availability:
>>
>> a) small sites do not have a local DC (say <50/70 users), they use
>> DCs located at HUB site over the WAN link within the same region.
>> Small sites are those like the one you cited that have room for 1-2 servers.
>> Same concept applies to any APP, whatever can be centralized in the
>> HUB site, it is. The exceptions are usually services hosted on a
>> single server at the remote site (e.g. file/print server, distribution point, etc..).
>>
>> b) we often use ESX (free or priced) at bigger sites to host a DC/DNS
>> to curb costs. They are small VMs (1GB RAM, 20GB HDD) that are not so
>> much resource demanding as they are DC/DNS only, or IAS in certain
>> cases. HUB DCs work as backup-up if a local DC goes down.
>>
>> c) all DCs are maintained and supported by a small team of Domain
>> Admins whose members are spread across the 3 regions. Because DCs are
>> DC/DNS only and changes are applied to DCs through a standard
>> process, the environment is "well known" and pretty manageable thus
>> they don't face issues that might be caused by other non-DA admins.
>> DCs are seen as pieces of "enterprise infrastructure" managed by an
>> "enterprise team" just like routers are centrally managed by the
>> enterprise Networking Team, nobody else can mess-up a router config,
>> the same is for AD.
>>
>> We run Win2K3, but Win2K8 should allow you to put a DC role onto a
>> multi-purpose server by allowing local Admins to manage the server
>> w/o Domain Admins privileges (this does not solve the service
>> availability issue anyway).
>>
>> AD is the core of security, Domain Admins have the keys to change AD
>> objects, AD security and manage any machine across the domain - or
>> better we should talk about Enterprise Admins managing the whole
>> Forest. On the other hand, Server Admins should be granted
>> authorization to the resources (say
>> "delegated") they are required to manage only (aka "service/data
>> autonomy") according to the least privilege principle.
>>
>> In few words, it's just a question of security and service
>> availability. You might find something useful in the following readings:
>> http://go.microsoft.com/fwlink/?LinkId=140862
>> http://www.microsoft.com/downloads/details.aspx?familyid=631747a3-79e
>> 1
>> -48fa-
>> 9730-dae7c0a1d6d3&displaylang=en
>>
>> Regards - Gabriele.
>>
>>> -----Original Message-----
>>> From: activedir-owner@mail.activedir.org [mailto:activedir-
>>> owner@mail.activedir.org] On Behalf Of Rand Salazar
>>> Sent: sabato 26 settembre 2009 6:03
>>> To: ActiveDir@mail.activedir.org
>>> Subject: [ActiveDir] Secure DCs Why?
>>>
>>> Hey folks,
>>>
>>> I am trying to make a business case to limit the amount of "fluff"
>>> on our DCs.. We have many remote sites that unfortunately have
>>> limiting restraints on how many servers we can deploy etc. We
>>> basically have room for 1-2 servers (usually just 1) so what ends up
>>> happening is every service (DHCP, WINS, File/Print, IIS, WSUS
>>> downstream,SMS Distro point, etc) and third party app/svc ends up on
>>> the lone DC in the branch. I know for some this is a necessary
>>> evil, but theres got be other ways (I'm toying with virtualizing..).
>>> Because we stack so many svcs on the DC, we end up having way too
>>> many Domain Admins, because for the most part, they need to be a DA
>>> in order to logon to DCs to admin all the rest of the services.
>>>
>>> I'm curious to hear other people's experiences.. and perhaps some
>>> resources/links that speak to securing DCs by limiting this sort of
>>> use.
>>>
>>> I'm from the camp that says the number of DAs should be very limited
>>> and things installed on a DC should be kept to a minimum but pundits
>>> argue that its only best practice and not practical. Am I just
>>> overcompensating and paranoid?
>>>
>>> Thanks for any help you can provide.
>>> Rand
>>
>>
>>
>>
>
>
>
| | | |
| gabriel/tfi
Posts:425
| | 09/26/2009 9:28 PM |
| I am not sure I understand you question. There's no additional number of
servers to manage, the number of virtual DCs is just the same as they were
physical. ESX (or Hyper-V or Xenserver or whatever) just allows to leverage
existing HW to run DCs, this is a cost saving opportunity with some
drawbacks in terms of security and availability, but I definitely think it's
an acceptable trade-off for most companies.
Regards - Gabriele.
> -----Original Message-----
> From: activedir-owner@mail.activedir.org [mailto:activedir-
> owner@mail.activedir.org] On Behalf Of Rand Salazar
> Sent: sabato 26 settembre 2009 9:12
> To: activedir@mail.activedir.org
> Subject: Re: [ActiveDir] Secure DCs Why?
>
> Thanks for your insight.. how do you folks justify the added number
> of servers that now need to be managed if you run ESX? Added patching
> population, administration etc..
>
>
>
> On Sat, Sep 26, 2009 at 10:59 AM, Gabriele Scolaro <gabro@gabro.net>
> wrote:
> > The following is our model to provide the required level of
> segregation of
> > DAs\SAs (Domain Admins \ Server Admins) and to assure a good level of
> AD
> > availability:
> >
> > a) small sites do not have a local DC (say <50/70 users), they use
> DCs
> > located at HUB site over the WAN link within the same region. Small
> sites
> > are those like the one you cited that have room for 1-2 servers. Same
> > concept applies to any APP, whatever can be centralized in the HUB
> site, it
> > is. The exceptions are usually services hosted on a single server at
> the
> > remote site (e.g. file/print server, distribution point, etc..).
> >
> > b) we often use ESX (free or priced) at bigger sites to host a DC/DNS
> to
> > curb costs. They are small VMs (1GB RAM, 20GB HDD) that are not so
> much
> > resource demanding as they are DC/DNS only, or IAS in certain cases.
> HUB DCs
> > work as backup-up if a local DC goes down.
> >
> > c) all DCs are maintained and supported by a small team of Domain
> Admins
> > whose members are spread across the 3 regions. Because DCs are DC/DNS
> only
> > and changes are applied to DCs through a standard process, the
> environment
> > is "well known" and pretty manageable thus they don't face issues
> that might
> > be caused by other non-DA admins.
> > DCs are seen as pieces of "enterprise infrastructure" managed by an
> > "enterprise team" just like routers are centrally managed by the
> enterprise
> > Networking Team, nobody else can mess-up a router config, the same is
> for
> > AD.
> >
> > We run Win2K3, but Win2K8 should allow you to put a DC role onto a
> > multi-purpose server by allowing local Admins to manage the server
> w/o
> > Domain Admins privileges (this does not solve the service
> availability issue
> > anyway).
> >
> > AD is the core of security, Domain Admins have the keys to change AD
> > objects, AD security and manage any machine across the domain - or
> better we
> > should talk about Enterprise Admins managing the whole Forest. On the
> other
> > hand, Server Admins should be granted authorization to the resources
> (say
> > "delegated") they are required to manage only (aka "service/data
> autonomy")
> > according to the least privilege principle.
> >
> > In few words, it's just a question of security and service
> availability. You
> > might find something useful in the following readings:
> > http://go.microsoft.com/fwlink/?LinkId=140862
> > http://www.microsoft.com/downloads/details.aspx?familyid=631747a3-
> 79e1-48fa-
> > 9730-dae7c0a1d6d3&displaylang=en
> >
> > Regards - Gabriele.
> >
> >> -----Original Message-----
> >> From: activedir-owner@mail.activedir.org [mailto:activedir-
> >> owner@mail.activedir.org] On Behalf Of Rand Salazar
> >> Sent: sabato 26 settembre 2009 6:03
> >> To: ActiveDir@mail.activedir.org
> >> Subject: [ActiveDir] Secure DCs Why?
> >>
> >> Hey folks,
> >>
> >> I am trying to make a business case to limit the amount of "fluff"
> on
> >> our DCs.. We have many remote sites that unfortunately have
> limiting
> >> restraints on how many servers we can deploy etc. We basically have
> >> room for 1-2 servers (usually just 1) so what ends up happening is
> >> every service (DHCP, WINS, File/Print, IIS, WSUS downstream,SMS
> Distro
> >> point, etc) and third party app/svc ends up on the lone DC in the
> >> branch. I know for some this is a necessary evil, but theres got be
> >> other ways (I'm toying with virtualizing..). Because we stack so
> many
> >> svcs on the DC, we end up having way too many Domain Admins, because
> >> for the most part, they need to be a DA in order to logon to DCs to
> >> admin all the rest of the services.
> >>
> >> I'm curious to hear other people's experiences.. and perhaps some
> >> resources/links that speak to securing DCs by limiting this sort of
> >> use.
> >>
> >> I'm from the camp that says the number of DAs should be very limited
> >> and things installed on a DC should be kept to a minimum but pundits
> >> argue that its only best practice and not practical. Am I just
> >> overcompensating and paranoid?
> >>
> >> Thanks for any help you can provide.
> >> Rand
> >
> >
> >
> >
| | | |
| bdesmond
Posts:977
| | 09/26/2009 9:40 PM |
| Yes but his overall wintel count goes up if he breaks off the various misc services the DCs are doing onto separate VM(s)
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
-----Original Message-----
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Saturday, September 26, 2009 3:26 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Secure DCs Why?
I am not sure I understand you question. There's no additional number of servers to manage, the number of virtual DCs is just the same as they were physical. ESX (or Hyper-V or Xenserver or whatever) just allows to leverage existing HW to run DCs, this is a cost saving opportunity with some drawbacks in terms of security and availability, but I definitely think it's an acceptable trade-off for most companies.
Regards - Gabriele.
> -----Original Message-----
> From: activedir-owner@mail.activedir.org [mailto:activedir-
> owner@mail.activedir.org] On Behalf Of Rand Salazar
> Sent: sabato 26 settembre 2009 9:12
> To: activedir@mail.activedir.org
> Subject: Re: [ActiveDir] Secure DCs Why?
>
> Thanks for your insight.. how do you folks justify the added number
> of servers that now need to be managed if you run ESX? Added patching
> population, administration etc..
>
>
>
> On Sat, Sep 26, 2009 at 10:59 AM, Gabriele Scolaro <gabro@gabro.net>
> wrote:
> > The following is our model to provide the required level of
> segregation of
> > DAs\SAs (Domain Admins \ Server Admins) and to assure a good level
> > of
> AD
> > availability:
> >
> > a) small sites do not have a local DC (say <50/70 users), they use
> DCs
> > located at HUB site over the WAN link within the same region. Small
> sites
> > are those like the one you cited that have room for 1-2 servers.
> > Same concept applies to any APP, whatever can be centralized in the
> > HUB
> site, it
> > is. The exceptions are usually services hosted on a single server at
> the
> > remote site (e.g. file/print server, distribution point, etc..).
> >
> > b) we often use ESX (free or priced) at bigger sites to host a
> > DC/DNS
> to
> > curb costs. They are small VMs (1GB RAM, 20GB HDD) that are not so
> much
> > resource demanding as they are DC/DNS only, or IAS in certain cases.
> HUB DCs
> > work as backup-up if a local DC goes down.
> >
> > c) all DCs are maintained and supported by a small team of Domain
> Admins
> > whose members are spread across the 3 regions. Because DCs are
> > DC/DNS
> only
> > and changes are applied to DCs through a standard process, the
> environment
> > is "well known" and pretty manageable thus they don't face issues
> that might
> > be caused by other non-DA admins.
> > DCs are seen as pieces of "enterprise infrastructure" managed by an
> > "enterprise team" just like routers are centrally managed by the
> enterprise
> > Networking Team, nobody else can mess-up a router config, the same
> > is
> for
> > AD.
> >
> > We run Win2K3, but Win2K8 should allow you to put a DC role onto a
> > multi-purpose server by allowing local Admins to manage the server
> w/o
> > Domain Admins privileges (this does not solve the service
> availability issue
> > anyway).
> >
> > AD is the core of security, Domain Admins have the keys to change AD
> > objects, AD security and manage any machine across the domain - or
> better we
> > should talk about Enterprise Admins managing the whole Forest. On
> > the
> other
> > hand, Server Admins should be granted authorization to the resources
> (say
> > "delegated") they are required to manage only (aka "service/data
> autonomy")
> > according to the least privilege principle.
> >
> > In few words, it's just a question of security and service
> availability. You
> > might find something useful in the following readings:
> > http://go.microsoft.com/fwlink/?LinkId=140862
> > http://www.microsoft.com/downloads/details.aspx?familyid=631747a3-
> 79e1-48fa-
> > 9730-dae7c0a1d6d3&displaylang=en
> >
> > Regards - Gabriele.
> >
> >> -----Original Message-----
> >> From: activedir-owner@mail.activedir.org [mailto:activedir-
> >> owner@mail.activedir.org] On Behalf Of Rand Salazar
> >> Sent: sabato 26 settembre 2009 6:03
> >> To: ActiveDir@mail.activedir.org
> >> Subject: [ActiveDir] Secure DCs Why?
> >>
> >> Hey folks,
> >>
> >> I am trying to make a business case to limit the amount of "fluff"
> on
> >> our DCs.. We have many remote sites that unfortunately have
> limiting
> >> restraints on how many servers we can deploy etc. We basically
> >> have room for 1-2 servers (usually just 1) so what ends up
> >> happening is every service (DHCP, WINS, File/Print, IIS, WSUS
> >> downstream,SMS
> Distro
> >> point, etc) and third party app/svc ends up on the lone DC in the
> >> branch. I know for some this is a necessary evil, but theres got
> >> be other ways (I'm toying with virtualizing..). Because we stack
> >> so
> many
> >> svcs on the DC, we end up having way too many Domain Admins,
> >> because for the most part, they need to be a DA in order to logon
> >> to DCs to admin all the rest of the services.
> >>
> >> I'm curious to hear other people's experiences.. and perhaps some
> >> resources/links that speak to securing DCs by limiting this sort of
> >> use.
> >>
> >> I'm from the camp that says the number of DAs should be very
> >> limited and things installed on a DC should be kept to a minimum
> >> but pundits argue that its only best practice and not practical.
> >> Am I just overcompensating and paranoid?
> >>
> >> Thanks for any help you can provide.
> >> Rand
> >
> >
> >
> >
| | | |
| robertsingers
Posts:571
| | 09/27/2009 9:37 PM |
| If you're approaching this from a security and cost perspective I would suggest that you look at Windows 2008 server core for DCs and Hyper-V for application servers. You decrease the attack surface, decrease the skill sets needed, and simplify the life-cycle management of your server fleet.
If you can pair up your virtualisation strategy with storage like NetApps filers with deduplication features you alos start to save 40-60% of disk space across your virtualised servers.
-----Original Message-----
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Rand Salazar
Sent: Sunday, 27 September 2009 8:12 a.m.
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Secure DCs Why?
Thanks for your insight.. how do you folks justify the added number
of servers that now need to be managed if you run ESX? Added patching population, administration etc..
On Sat, Sep 26, 2009 at 10:59 AM, Gabriele Scolaro <gabro@gabro.net> wrote:
> The following is our model to provide the required level of
> segregation of DAs\SAs (Domain Admins \ Server Admins) and to assure a
> good level of AD
> availability:
>
> a) small sites do not have a local DC (say <50/70 users), they use DCs
> located at HUB site over the WAN link within the same region. Small
> sites are those like the one you cited that have room for 1-2 servers.
> Same concept applies to any APP, whatever can be centralized in the
> HUB site, it is. The exceptions are usually services hosted on a
> single server at the remote site (e.g. file/print server, distribution point, etc..).
>
> b) we often use ESX (free or priced) at bigger sites to host a DC/DNS
> to curb costs. They are small VMs (1GB RAM, 20GB HDD) that are not so
> much resource demanding as they are DC/DNS only, or IAS in certain
> cases. HUB DCs work as backup-up if a local DC goes down.
>
> c) all DCs are maintained and supported by a small team of Domain
> Admins whose members are spread across the 3 regions. Because DCs are
> DC/DNS only and changes are applied to DCs through a standard process,
> the environment is "well known" and pretty manageable thus they don't
> face issues that might be caused by other non-DA admins.
> DCs are seen as pieces of "enterprise infrastructure" managed by an
> "enterprise team" just like routers are centrally managed by the
> enterprise Networking Team, nobody else can mess-up a router config,
> the same is for AD.
>
> We run Win2K3, but Win2K8 should allow you to put a DC role onto a
> multi-purpose server by allowing local Admins to manage the server w/o
> Domain Admins privileges (this does not solve the service availability
> issue anyway).
>
> AD is the core of security, Domain Admins have the keys to change AD
> objects, AD security and manage any machine across the domain - or
> better we should talk about Enterprise Admins managing the whole
> Forest. On the other hand, Server Admins should be granted
> authorization to the resources (say
> "delegated") they are required to manage only (aka "service/data
> autonomy") according to the least privilege principle.
>
> In few words, it's just a question of security and service
> availability. You might find something useful in the following readings:
> http://go.microsoft.com/fwlink/?LinkId=140862
> http://www.microsoft.com/downloads/details.aspx?familyid=631747a3-79e1
> -48fa-
> 9730-dae7c0a1d6d3&displaylang=en
>
> Regards - Gabriele.
>
>> -----Original Message-----
>> From: activedir-owner@mail.activedir.org [mailto:activedir-
>> owner@mail.activedir.org] On Behalf Of Rand Salazar
>> Sent: sabato 26 settembre 2009 6:03
>> To: ActiveDir@mail.activedir.org
>> Subject: [ActiveDir] Secure DCs Why?
>>
>> Hey folks,
>>
>> I am trying to make a business case to limit the amount of "fluff" on
>> our DCs.. We have many remote sites that unfortunately have limiting
>> restraints on how many servers we can deploy etc. We basically have
>> room for 1-2 servers (usually just 1) so what ends up happening is
>> every service (DHCP, WINS, File/Print, IIS, WSUS downstream,SMS
>> Distro point, etc) and third party app/svc ends up on the lone DC in
>> the branch. I know for some this is a necessary evil, but theres got
>> be other ways (I'm toying with virtualizing..). Because we stack so
>> many svcs on the DC, we end up having way too many Domain Admins,
>> because for the most part, they need to be a DA in order to logon to
>> DCs to admin all the rest of the services.
>>
>> I'm curious to hear other people's experiences.. and perhaps some
>> resources/links that speak to securing DCs by limiting this sort of
>> use.
>>
>> I'm from the camp that says the number of DAs should be very limited
>> and things installed on a DC should be kept to a minimum but pundits
>> argue that its only best practice and not practical. Am I just
>> overcompensating and paranoid?
>>
>> Thanks for any help you can provide.
>> Rand
>
>
>
>
#############################################################################################
This e-mail message has been scanned for Viruses and cleared by NetIQ MailMarshal.
##############################################################################################
############################################################
PLEASE NOTE:
The information contained in this email message and any
attached files may be confidential and subject to privilege.
Any opinions expressed in this message are not necessarily
those of the Department of Building and Housing. All technical
opinions are offered on a no-liability basis. This message
and any files transmitted with it are confidential and solely
for the use of the intended recipient. If you are not the
intended recipient, you are notified that any use, disclosure
or copying of this email is unauthorised. If you have received
this email in error, please notify us immediately by reply email
and delete the original and any attachment(s). Thank you.
############################################################
| | | |
| pbbergs
Posts:281
| | 09/28/2009 1:26 PM |
| You could also consider using an RODC, thereby not be required to hand out domain admin credentials. This is exactly the scenario RODC's would be of help.
Thanks
Paul
pbergson@allete.com (e-mail)
pbbergs@msn.com (IM)
>
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Rand Salazar
> Sent: Friday, September 25, 2009 11:03 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Secure DCs Why?
>
> Hey folks,
>
> I am trying to make a business case to limit the amount of "fluff" on our DCs.. We have many remote sites that unfortunately have limiting restraints on how many servers we can deploy etc. We basically have room for 1-2 servers (usually just 1) so what ends up happening is every service (DHCP, WINS, File/Print, IIS, WSUS downstream,SMS Distro point, etc) and third party app/svc ends up on the lone DC in the branch. I know for some this is a necessary evil, but theres got be other ways (I'm toying with virtualizing..).. Because we stack so many svcs on the DC, we end up having way too many Domain Admins, because for the most part, they need to be a DA in order to logon to DCs to admin all the rest of the services.
>
> I'm curious to hear other people's experiences.. and perhaps some resources/links that speak to securing DCs by limiting this sort of use.
>
> I'm from the camp that says the number of DAs should be very limited and things installed on a DC should be kept to a minimum but pundits argue that its only best practice and not practical. Am I just overcompensating and paranoid?
>
> Thanks for any help you can provide.
> Rand
>
>
>
| | | |
|
|