Domain Controller protection
Thanks for your answer.
I want to know if Ithe local users can loging to the Domain Controller (that is behind a router or firewall) without use Terminal Server or Remote Desktop.
My english is not very good.
Thanks for all.
August 7th, 2008 5:42pm
Is that first line a statement or a question? Are you forwarding TCP 3389 (Terminal Services) through the PIX for remote console access?
By default, normal non-administrative users can not logon to a domain controller either locally (at the console) or remotely (via Remote Desktop/Terminal Services). Unless you've changed this configuration in the group policies, then you should be fine.
Free Windows Admin Tool Kit Click here and download it now
August 7th, 2008 6:15pm
An "end user" or an administrator? By default, an end user does not have permissions to log on to the console of the domain controllers. They must be an operator or an administrator.
August 7th, 2008 9:21pm
If the fireall is performing NAT and you don't create and port-forwarding rules, then no inbound connections can be made from external hosts to your Domain Controller. On top of that, what we've both posted above covers the fact that the average user account can not logon to a Domain Controller regardless of how they attempt to connect.
The first part covers is the actual connectivity and the second refers to secutiry policies that limit non-Admin from logging into a domain controller.
Are you asking for a whay to ALLOW them to logon or are you concerend about secutiry and want to make sure they CAN'T logon?
Free Windows Admin Tool Kit Click here and download it now
August 7th, 2008 11:30pm
It's worth reading this resource on how to secure 2003 Server
http://www.microsoft.com/technet/security/prodtech/windowsserver2003/W2003HG/SGCH00.mspx
August 8th, 2008 1:29pm
This forum is for exchange related issues. For questions about DC please use the Windows Server 2008 Forum which would be the most relevant forum for your question
Free Windows Admin Tool Kit Click here and download it now
August 11th, 2008 5:46am