Hello Guys, I have a question about WinServer 2003 or 2008 domain environment,is it true that we should not install applications or softwares on DC if it is in LAN and when the LAN is connected to internet? Is this recommended inorder to stop application layer attacks on DC? I hope my question is clear and would appreciate if we have discussion on it. Thanks

Hello Guys, I have a question about WinServer 2003 or 2008 domain environment,is it true that we should not install applications or softwares on DC if it is in LAN and when the LAN is connected to internet? Is this recommended inorder to stop application layer attacks on DC? I hope my question is clear and would appreciate if we have discussion on it. Thanks Application layer attacks are attacks that may use the ports or code associated with an application to gain administrative access (through a vulnerability in the application code) or achieve denial of service (by flooding the ports of the application with loads of network, resulting in 100% CPU load or filling up the C:\ drive with logs). When these attacks are performed towards an application on a Domain Controller you might be confronted with the inability to logon or a leak of sensitive (account) data. If you want to mitigate this risk, do not install applications on Domain Controllers. Hoewever, when there's a budget constraint on implementing the environment and/or application, this might prove to be more important than mitigating a security risk with the application. Also, not installing any application on a Domain Controller, in itself, is infeasible, since it's recommended to install anti-malware, backup, auditing, monitoring and/or UPS software on Domain Controllers in production environments in order to mitigate other risks.

General advice is not to use a DC as anything other than a DC. Also, you should never connect a LAN to the internet directly. It should always be through a router that provides hardware firewall and mapping of external IP addresses to internal ones. -------- Regards, Hank Arnold Microsoft MVP Windows Server - Directory Services http://it.toolbox.com/blogs/personal-pc-assistant/ On 11/20/2010 5:53 AM, Student1 wrote: Hello Guys, I have a question about WinServer 2003 or 2008 domain environment,is it true that we should not install applications or softwares on DC if it is in LAN and when the LAN is connected to internet? Is this recommended inorder to stop application layer attacks on DC? I hope my question is clear and would appreciate if we have discussion on it. Thanks Regards, Hank Arnold (MVP - DS)