The
Sat Jun 11 00:24:52 CDT 2005
rainman is notorious for his security holes...
"rainman" <news.76939@buckeye-express.com> wrote in message
news:NcGdnSubxd4pxDffRVn-og@buckeye-express.com...
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Personally I suggest not using FTP on a DC at all, because IIS, like IE,
> is notorious for security holes... not to mention that it just wouldn't
> be useful unless you're doubling up server duties for lack of cash...
> but unfortunately it is necessary for the feature if somebody does make
> that (poor) choice.
>
> Rainman
>
> zenner wrote:
>> As noted by your explanation. If you are aware that you are circumventing
>> accepted practices for a DC and are willing to accept the risk..that is
>> your
>> decision.
>>
>> My point is still valid, given accepted practice and for security...no
>> user
>> has a reason for local access to a DC. Even placing an FTP server on a
>> DC,
>> you can still set up your permission to avoid giving local logon access
>> to
>> normal users.
>>
>> If you feel it acceptable risk, It's your system, do as you feel is
>> reasonable. I still suggest you research a better solution.
>> "rainman" <news.76939@buckeye-express.com> wrote in message
>> news:pridnRuKYcT1KTTfRVn-jQ@buckeye-express.com...
>>
>> There is one reason why a normal user needs logon locally permissions to
>> the server: FTP via IIS. If the user needs FTP access to the server, you
>> HAVE to give him local logon rights, just because that's the way IIS
>> works.
>>
>> However, it is more likely the answer to this problem lies in my
>> previous post in this thread...
>>
>> zenner wrote:
>>
>>>There is no reason that a normal user needs to logon to a Domain
>>>Controller.
>>>Anything he needs should be accessed through an API. Files are access
>>>through shares, printers through spooler, applications through whatever
>>>API
>>>that the app provides. Only members of one of the Admin groups, by
>>>default,
>>>are allowed Logon rights to a DC. Member servers are an entirely
>>>different
>>>issue.
>>
>>>Are we talking about the same thing?
>>
>>>"zenner" <zenner@pacbell.net> wrote in message
>>>news:fnIpe.1581$Z44.602@newssvr13.news.prodigy.com...
>>
>>
>>>>Is your DC also serving double duty as possibly a File or Printer
>>>>server?
>>
>>>>Your System Administrator may have an explanation, if you are not the
>>>>sysAdmin...then ask him or her (respectfully, if possible.) if they knew
>>>>about it and/or intended to include domain users in the "logon locally"
>>>>permission list, and if so...why?
>>
>>>>Asked in the right way you may get an explanation that is reasonable,
>>>>given the circumstances of your companies environment.
>>
>>>>Even the best guidelines have exceptions...that's why the are called
>>>>Guideline, instead of rules.
>>>>"Rebsu" <Rebsu@discussions.microsoft.com> wrote in message
>>>>news:BD38617E-5A13-4A21-A5D1-A7EB4A732294@microsoft.com...
>>
>>
>>>>>I was looking over our group policy settings while studying for 70-292
>>>>>and
>>>>>noticed that the group Domain Users is included in the Allow log on
>>>>>locally
>>>>>setting in the Default Domain Controller Policy. Is this ok or
>>>>>dangerous?
>>>>>Is it necessary? DCs are 2003 standard.
>>
>>
>>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (MingW32)
> Comment: Using GnuPG with Thunderbird -
http://enigmail.mozdev.org
>
> iD8DBQFCqlmv9ZOMhmWO5XkRAj2uAJ9HwgVDvytDad9Kr3mb1+b3zI7EuwCffpxC
> ayOuYOk/DP8VgrHn5xj+v0c=
> =xon4
> -----END PGP SIGNATURE-----