Chapter 10 - Managing Server Security
| Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. |
Securing the server entails many controls, and the main objective is to secure the system configurations so that unauthorized users cannot change them in anyway. By doing so, you secure the computer and the data residing on it so that you are assured the objective of Confidentiality is met. Controls should be in place to ensure that all access to the computer system, programs, and data are appropriately restricted, meaning that you secure system configurations files so that individuals cannot simply change them.
Windows NT provides many security features for setting, organizing, and maintaining system configurations. For this reason, the security controls that can be implemented to protect these items are numerous. In the following section, we recommend the controls we believe are most important in reaching the objective of securing the system.
Server Manager is the application within Windows NT that allows an administrator to control most domain activity. Some of these activities include domain administration, setting up shares, configuring replication settings, modifying services, and monitoring user connections. These functions can all be performed remotely or locally by the administrators.
To launch the Server Manager application, choose Start » Programs » Administrative Tools » Server Manager.
.gif "Cc751179.g10xx01(en-us,TechNet.10).gif")
The Server Manager application appears and, in the title bar of the main window, the name of the domain currently being administered is displayed. The main viewing area displays the computer name in the Computer column, the Windows NT version and server type (if possible) in the Type column, and the description in the Description field. The icon to the left of each Computer name represents the server type.
You can view computers three ways: servers only, workstations only, and all. In addition, administrators can choose to view the domain members only. Depending on what needs to be managed, these views should facilitate finding a particular computer. Administrators should periodically review the current members of a domain and make sure all computers belong.
On This Page
Computer Properties
Services
Promote to Primary Domain Controller (PDC)
Considerations and Recommendations for Using Server Manager
Computer Properties
Both workstations and servers can be displayed in the view. To display the properties of a particular server either double-click on the computer name or choose Computer Properties from the menu bar. The Properties dialog box appears.
.gif "Cc751179.g10xx02(en-us,TechNet.10).gif")
Administrators should use Server Manager as a tool for monitoring and controlling connections to a computer. Security can also be monitored and controlled through some of these features because an administrator can disconnect a user in real time if they are accessing certain resources incorrectly.
Table 10-1 presents and describes the Properties dialog box.
Table 10-1 Computer Properties
Usage Summary Section |
Function |
|---|---|
Sessions |
The number of users remotely connected to the computer. |
File Locks |
The number of file locks by open resources on the computer. Another user cannot access a resource if it is locked. |
Open Files |
The number of shared resources opened on the computer. |
Open Named Pipes |
The number of named pipes opened on the computer. Named pipes are interprocess communication mechanisms that allow processes to communicate with each other locally and remotely. |
Field |
Function. |
Description |
Specifies the description of a computer—typically the computer's location, user, and function. |
Button |
Function |
Users |
Lists and allows the disconnection of connected users and their open resources. |
Shares |
Lists the shared resources and allows disconnection of users who are connected to them. |
In Use |
Lists opened resources and who is using them. |
Replication |
Allows management of directory replication. |
Alerts |
Lists and allows management of the users and computers that receive alerts. |
Users
Administrators can monitor the users who are currently connected to the computer over the network and view the resources those users have open. This ability allows administrators to monitor how many users are connected at any given time, the shared resources that are being accessed, and the length of time a user has been connected to the open resource. To open the User Sessions dialog box, click the Users button.
.gif "Cc751179.g10xx03(en-us,TechNet.10).gif")
There are two fields: The top field is for viewing the users that are connected, and the bottom field is for viewing the resources that are in use by a specific user. Table 10-2 presents and describes the User Sessions dialog box.
Table 10-2 User Sessions
Top Field Columns |
Function |
|---|---|
Connected Users |
Lists the users or computers that are connected to the computer over the network |
Computer |
Displays the connected user's computer name |
Opens |
Displays the number of resources opened on this computer by the user |
Time |
Displays the hours and minutes that have elapsed since the session was established |
Idle |
Displays the hours and minutes that have elapsed since the user last initiated an action |
Guest |
Indicates whether or not this user connected to this computer as a guest |
Bottom Field Columns |
Function |
Resource |
Lists the shared resources to which the selected user is connected |
Opens |
Displays the number of times the listed resource is open for a selected user |
Time |
Displays the hours and minutes that have elapsed since the user first connected to a shared resource |
Button |
Function |
Disconnect |
Disconnects the highlighted user from the computer |
Disconnect All |
Disconnects all users from the computer |
Administrators can disconnect users from the network. This ability might be advantageous if the administrator wanted to terminate a connection immediately because a user was suspected of accessing resources in a manner they should not be. In addition, the fewer users connected, the better performance will be. To disconnect a user, highlight his name in the top field and click the Disconnect button. If you want to disconnect every user currently connected, click the Disconnect All button. Administrators should always warn legitimate users before disconnecting them to prevent data loss and corruption.
Note: Users who are disconnected via this method may reconnect at any time. This does not disallow future connection attempts.
Shares
Administrators can monitor and control shares on a machine. For example, they can disconnect users from those shares by clicking the Shares button, which opens the Shared Resources dialog box.
.gif "Cc751179.g10xx04(en-us,TechNet.10).gif")
This box is divided into two sections: shares in the top field and connected users in the bottom field. Table 10-3 presents and describes the Shared Resources dialog box.
Table 10-3 Shared Resources
Top Field Columns |
Function |
|---|---|
Sharename |
Lists the shared resources available on the computer |
Uses |
Displays the number of connections to the shared resource |
Path |
Displays the path of the shared resource |
Bottom Field Columns |
Function |
Connected Users |
Lists the users who are connected to the selected-shared resource |
Time |
Displays the hours and minutes that have elapsed since the user first connected to the shared resource |
In Use |
Indicates whether the user currently has a file open from the selected resource |
Button |
Function |
Disconnect |
Disconnects the highlighted user from the computer |
Disconnect All |
Disconnects all users from the computer |
Similar to the functionality of the User Sessions dialog box, the Shared Resources dialog box is used to monitor what is in use and to terminate what is being used. Administrators should use this as a tool in controlling network usage of shared resources.
In Use
To view or manage the shared resources open on a selected computer, click the In Use button. The Open Resources dialog box appears.
.gif "Cc751179.g10xx05(en-us,TechNet.10).gif")
An administrator can close one or all the open resources that are being accessed by remote users. Reasons for doing this include if administrators suspect users of gaining unauthorized access to files and if administrators need to free up connections. Table 10-4 presents and describes the Open Resources dialog box.
Table 10-4 Open Resources
Area |
Function |
|---|---|
Open Resources |
Displays the total number of open resources on the computer |
File Locks |
Displays the total number of file locks by open resources |
Column |
Function |
Opened By |
Lists the type of opened resources on the computer and the user name who opened it |
For |
Lists the permissions granted when the resource was opened |
Locks |
Displays the number of locks on the resource |
Path |
Displays the path of the open resource |
Button |
Function |
Close Resource |
Disconnects the highlighted user from the computer |
Close All Resources |
Disconnects all users from the computer |
The functionality of the Open Resources dialog box is similar to the User Sessions dialog box because it is a tool administrators can use to view what is in use and it provides administrators the ability to terminate a connection of what is being used.
Replication
Directory replication provides the ability to create and maintain identical directory trees and files on multiple servers and workstations. To open the Directory Replication dialog box, click the Replication button.
.gif "Cc751179.g10xx06(en-us,TechNet.10).gif")
The screen is divided into two halves: the Exportation settings on the left and the Importation settings on the right. Administrators should not confuse the two because highly sensitive data will be passed from the export server to the import clients.
Replication is a powerful feature for load balancing, file maintenance, and distribution of logon scripts and policy files. The use of replication relieves the load placed on a single server because the files are available on more than one system. File maintenance is reduced because updates to files are derived from a single source. This reduction creates potential security vulnerabilities, because there are now two places hackers can try to access sensitive information. Windows NT Workstation can only import data, whereas Windows NT Server can both export and import data through replication.
The replication process contains two component systems: the export server and the import computer. The export server is the system that contains the files to be replicated to the import computer. The import computer receives the replicated directories and files from the export server.
Configuring and Securing Replications
Configuring directory replication is a two-step process, because it involves configuring the export server and import computer(s). During both steps, it is important to stay focused on security; if configured incorrectly, a Windows NT server could be breached or data could be compromised.
Step One: The Export Server
Three different applications need to be used to configure and secure the export server: User Manager for Domains, Server Manager, and the Services applet from the Control Panel, which can also be accessed from within Server Manager.
From the export server, launch User Manager for Domains and create a new user account called Replicator. (This is a common name, which is not recommended. You should use a name that is more obscure.) The new Replicator account should be created on the domain, which will allow the account to be used on both the export server and import client. Table 10-5 indicates what the settings should be in order for the Replicator account to be able to perform the replication functions and still be secure.
Table 10-5 Replicator Account Settings
Option |
Value |
|---|---|
Password Never Expires |
Select. |
User Must Change Password At Next Logon |
Do not select. |
User Cannot Change Password |
Do not select. |
Account Disabled |
Do not select. |
Groups |
Replicator. |
Profile |
Do not define a user profile. |
Hours |
Enable 24-hours a day, 7-days a week. |
Return to the Server Manager application and choose Computer » Services. Highlight the Directory Replicator Service and click the Startup button. The Service dialog box appears.
.gif "g10xx07")
The Service dialog box allows the administrator to configure settings for the type of logon and account that logs on. The Replicator account just created should be the account that logs in to run the Directory Replicator service. By default, the LocalSystem account is used. The following is a list of options and their configurations:
Startup Type—Automatic
Log On As—Select the This Account radio button
This Account—Input the user account (Replicator and password created for Directory Replicator)
After typing in the name of the Replicator account and clicking OK, the following Server Manager dialog box will appear, notifying the administrator that the Replicator account has been granted membership to the local Replicator group and the Log On As A Service user right. For administrative purposes, we recommend taking the Log On As A Service user right away from the Replicator account and granting it to the Replicator local group.
.gif "Cc751179.g10xx08(en-us,TechNet.10).gif")
Return to the Directory Replication dialog box of Server Manager and select the Export Directories radio button. It is also possible to have the export server set up as an import client, but for the purposes of this configuration, the machine will be solely an export server. Type the path of the directories to be replicated in the To Path field. By default, the directory is %systemroot%\system32\repl\export.
To configure the directory and subdirectories to be replicated, click the Manage button, which opens the Manage Exported Directories dialog box.
.gif "Cc751179.g10xx09(en-us,TechNet.10).gif")
The directory being managed is displayed at the top, adjacent to Export Path. Table 10-6 describes the settings for managing directories.
Table 10-6 Manage Export Directories
Column |
Description |
|---|---|
Sub-Directory |
A list of the subdirectories that are exported from this computer—maximum amount is 32 |
Locks |
Displays the number of locks on the subdirectory and locks prevent exportation |
Stabilize |
Indicates whether specified subdirectory must be idle or stable—for two minutes before replication (see the note that follows this table) |
Subtree |
Indicates if the entire subtree will be exported or just the first-level subdirectory |
Locked Since |
Displays the date and time that the oldest lock was placed on the export path |
Button |
Description |
Add |
Adds subdirectories |
Remove |
Removes subdirectories |
Add Lock |
Adds one lock and multiple locks that can be placed on subdirectories |
Remove Lock |
Removes a lock |
Check Boxes |
Description |
Wait Until Stabilized |
Enables stability |
Entire Subtree |
Enables entire subtree exportation |
Note: Although the default is two minutes, you can set the number of minutes an export directory must be stable before it will be replicated. To modify the default, set the following Registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Replicator\Parameters
Insert the value name GuardTime (REG_DWORD) and its value will be equivalent to the number of minutes.
After management of the directory replication is complete, go back to the Directory Replication dialog box and click the left-most Add button. This action opens the Select Domain dialog box, where computers can be selected as import clients. All clients selected appear in the To List section.
The last field to be edited is the Logon Script Path field at the bottom of the Directory Replication dialog box. This field specifies the location of the local directory where logon scripts are stored.
Step Two: Import Computers
If the import computer exists in a different domain than that of the export server, a Replicator account will have to be created that exactly matches the account created in the export server's domain. Next, at the import computer, open Server Manager and choose Computer » Services. Similar to what was done on the Windows NT export server, it is necessary to adjust the Directory Replicator Service's startup options to the following values:
Option |
Value |
|---|---|
Startup Type |
Automatic |
Log On As |
Select the This Account radio button |
This Account |
Input the Replicator account and password created for the Directory Replicator Service |
The Replicator account will automatically be granted membership to the local Replicator group and given the Log On As A Service user right.
Open the Directory Replicator dialog box by choosing Computer » Properties and then clicking the Replicator button. On the right side of the dialog box is the Import Directories options. Select the Import Directories radio button. Type the path of the directories to be replicated in the To Path field. By default, the directory is %systemroot%\system32\repl\import. Click the Add button and select the computer name of the export server. Click the Manage button if you want to edit the settings for the Export Path. If so, the Manage Imported Directories dialog box will appear, which is almost identical to the Manage Exported Directories dialog box with the following exceptions: There are no Entire Subtree and Wait for Stability check boxes, nor is there a stabilize column. However, the Status column and the Last Update column gives information about the import subdirectory's status (that is, whether or not updates are being received).
.gif "Cc751179.g10xx10(en-us,TechNet.10).gif")
Lastly, if needed, edit the Logon Script Path field at the bottom of the Directory Replication dialog box to specify the location of the local directory where logon scripts are stored.
Recommendations for Securing Directory Replication
Replication can cause a major security exposure if not administered properly. Administrators replicating directories and files onto a Windows NT machine in the network must be aware of the groups that have access to the directories and files on the importing client. It is very important for the administrator to assign a password to the Replicator account as a security control, because the account is a member of the Replicator group and has the Log On As A Service user right. If no password is assigned, the Replicator service can be a point of entry for unauthorized users.
Replication is better suited for read-only files because modifications to import data on the import client will be superseded by the newly replicated import data from the export server. Two examples of files well suited for replication are logon scripts and user policies.
Several features can further enhance the security and integrity of exported files and directories. On the export server, an administrator can lock directories from exportation, prevent subtree exportation within the export path, monitor the date and time that a lock was placed on a directory, and force directory replication after two minutes of directory stability.
On an import client, an administrator can determine the location of imported files, lock directories from importation, monitor the status and effect of updates, and monitor the date and time that an update was made to a file in the import directory.
Alerts
Alerts that warn about security and access errors, user session problems, server shutdown, and printer problems are generated by the system and can be sent to a list of specified users and computers. To view and manage the list of users and computers that are notified, from the main viewing area of Server Manager, either double-click on the computer name or choose Computer » Properties from the menu bar. The Properties dialog box appears. Then click on the Alerts button.
.gif "Cc751179.g10xx11(en-us,TechNet.10).gif")
The Alerts dialog box appears. On the left is the New Computer or Username field, which allows an administrator to input the name of computers or users who should receive alerts. On the right is the Send Administrative Alerts To section, which lists all the current users and computers that are receiving alerts.
Both the Alerter and Messenger service need to be running on the originating machine for the alerts to be sent. Only the Messenger service needs to be running on the recipient machine.
Sending alerts to administrators is a good control to immediately notify them of potential security or system problems.
Services
Services are processes that run in the background of a Windows NT environment. Services may be started automatically at boot time or they may be manually started and stopped by the administrator or server operators. Services typically run under the System account, but they may also run under a user-defined account. There are two types of services: those that operate as part of the system kernel and those that operate under the Win32 subsystem. The services that run under Win32 that may have user interaction are of most concern.
There are two sets of services: those installed as part of the default Windows NT installation and those installed as part of add-on software or as options within the operating system or third-party packages.
Services are critical to system security and must be managed appropriately to ensure that they do not present any security risks. Click Start » Programs » Administrator Tools » Server Manager. When you are inside Server Manager, highlight a server and then click Computer » Services. This function is helpful when you want to remotely manage a server's services. You must be part of the Administrators group or the Server Operators group to manage services.
.gif "Cc751179.g10xx12(en-us,TechNet.10).gif")
Services could present a security risk because many are installed by default and many are run under the local System account, which, by default, has full access to the entire system. In some cases, this may be inappropriate for certain services. In addition, running nonessential services may present another place for a hacker to attack.
At the Services dialog box, you can view all the services that are installed and running. Here you can stop or pause a service. Highlight the service you want to manage and then click Pause. This function will prevent users from accessing the specific service, but the service will still be accessible by the administrators and server operators. Clicking Stop will disconnect all users, and no one will be able to use the service until it is restarted. It is important to be very careful when stopping a service; other services may be dependent on it and stopping the service may have detrimental effects on the system. Be sure to test the effect of stopping a service on a test system before actually stopping a service in production.
Changing Startup Accounts for Services
As previously mentioned, some services start under the local System account. This account has full access to an entire operating system. The potential security risk is that if security vulnerabilities are discovered in the service, a hacker might try attacking that service with the intent of gaining access as the local System account. For this reason, nonessential or nontrusted services should be run under accounts with the least amount of privileges possible. First, you must create an account with the appropriate rights. Then you must enable the services to run under this new account.
The Scheduler (AT) is an example of a service that uses the local System account. It is a scheduling service provided by Windows NT to schedule the execution of commands and programs. Because this service runs with the security account of local System and not a predefined user account, a command or program that is executed with the AT command will have access to all operating system resources. The local System account is the Windows NT operating system itself. This security level is the highest in the system.
From the list of services in the Service dialog box, highlight the service you want to change and then click the Startup button. The following dialog box appears.
.gif "g10xx13")
In the bottom half of the dialog box, you will see the Log On As option. Click the This Account radio button and specify the new user account name and password that you created for the service.
In the top half of the dialog box, you can choose whether to disable the service, have it startup automatically when Windows NT boots up, or have it startup manually. Disabling the service stops any user from accessing it. Automatically starting the service causes the service to run as soon as the server is turned on.
Recommendations
The following services are installed by default. Your server may include additional services depending on how you installed your server or additional hardware and software. Carefully evaluate the following services and keep only the ones you need. Then evaluate and change the Startup account for the services that you want to keep. Table 10-7 can be used as a guideline in helping you determine which services should be installed based on your Windows NT environment.
Alerter—Used by the server and other services. This service broadcasts the logged on user name in the NetBIOS name table, which can be considered a security breach. As well, the Alerter service notifies user and computers of the administrative alerts that occur on selected computers.
Clipbook Viewer—Supports the Clipbook viewer application, allowing pages to be seen by remote Clipbooks.
Computer Browser—Maintains an up-to-date list of computers and provides the list to applications when requested. Provides the computer list displayed in the Select Computer and Select Domain dialog boxes and in the main Server Manager window.
Directory Replicator—Replicates directories and the files in the directories between computers.
Event Log—Records system, security, and application events to be viewed in Event Viewer.
FTP Publishing Service—In Windows NT 4.0, FTP is part of the Internet Information Server (IIS).
Messenger—Sends and receives messages sent by administrators or by the Alerter service. This service stops when the Workstation service stops.
Net Logon—Performs authentication of accounts on primary and backup domain controllers; it also keeps the domain directory database synchronized between the primary domain controller and the backup domain controllers. For other computers running Windows NT, supports pass-through authentication of account logons. This service is used when the workstation participates in a domain.
Network DDE—Provides a network transport as well as security for DDE (Dynamic Data Exchange) conversations.
Network DDEDSDM—Dynamic Data Exchange Share Database Manager manages the shared DDE conversations. This service is used by the Network DDE service.
NT LM Security Support Provider—Provides Windows NT security to RPC (Remote Procedure Call) applications that use transports other than named pipes.
Remote Procedure Call (RPC) Locator—Allows distributed applications to use the Microsoft RPC service and manages the RPC Name Service database. The server side of distributed applications registers its availability with this service. The client side of distributed applications queries this service to find available server applications.
Remote Procedure Call (RPC ) Service—This is the RPC subsystem for Windows NT. It includes the endpoint mapper and other related services.
Schedule—Must be running if the AT command is to be used. The AT command can be used to schedule commands and programs to run on a particular date and time.
Server—Provides RPC support, and file, print, and named piping sharing by using SMB services.
Spooler—Provides print spooler services.
UPS—Manages an uninterruptable power supply connected to the computer.
Workstation—Provides network connections and communications.
Table 10-7 Windows NT Services Recommendations
Feature |
Domain Controller |
File and Print Server |
Database Server |
Web Server |
RAS Server |
Work-station |
|---|---|---|---|---|---|---|
Alerter |
None—Requires Messenger Service. |
|
|
|
|
|
Clipbook Viewer |
Not required. |
|
|
|
|
|
Computer Browser |
No change. |
Disable. |
No change. |
Disable. |
No change. |
Disable. |
Directory Replicator |
Start auto- matically on PDC—Can be configured to start with another account |
Start auto- matically on PDC—Can be configured to start with another account |
Start auto- matically on PDC—Can be configured to start with another account |
Start man- ually when required— Can be configured to start with another account |
Do not start. |
Do not start. |
Event Log |
No change. |
No change. |
No change. |
No change. |
No change. |
No change. |
FTP Publishing Service |
Do not use. |
Do not use. |
Do not use. |
No change |
Do not use. |
Do not use. |
Messenger |
No change. |
No change. |
No change. |
No change. |
No change. |
No change. |
Net Logon |
None—This service is required in most cases. |
None—This service is required in most cases. |
None—This service is required in most cases. |
None—This service is required in most cases. |
None—This service is required in most cases. |
None—This service is required in most cases. |
Network DDE |
Not required. |
Not required. |
Not required. |
Not required. |
Not required. |
Not required. |
Network DDE DSDM |
Not required. |
Not required. |
Not required. |
Not required. |
Not required. |
Not required. |
NT LM Security Support Provider |
None—This service is required in most cases. |
None—This service is required in most cases. |
None—This service is required in most cases. |
None—This service is required in most cases. |
None—This service is required in most cases. |
None—This service is required in most cases. |
Remote Procedure Call (RPC) Locator |
None—Can be configured to start with another account. |
|
|
|
|
|
Remote Procedure Call (RPC) Service |
None—Pausing or stopping this service on network-connected servers will result in un-predictable results and lockups. Can be con-figured to start with another account. |
|
|
|
|
|
Schedule |
Create and use Sched-uler account if needed. |
Create and use Sched-uler account if needed. |
Create and use Sched-uler account if needed. |
Create and use Sched-uler account if needed. |
Do not use. |
Do not use. |
Server |
No change. |
No change. |
Disable if not required for database use. |
Disable. |
No change |
Disable if sharing is not required. |
Spooler |
None—Can be configured to start with another account. |
None—Can be configured to start with another account. |
Not needed. |
Not needed. |
Not needed. |
|
UPS |
Not required—Can be configured to start with another account. |
Not required—Can be configured to start with another account. |
Not required—Can be configured to start with another account. |
Not required—Can be configured to start with another account. |
Not required—Can be configured to start with another account. |
Not required—Can be configured to start with another account. |
Workstation |
No change. |
No change. |
No change. |
Disable. |
No change. |
No change. |
Promote to Primary Domain Controller (PDC)
If the primary domain controller (PDC) fails, needs to be taken offline temporarily, or is being replaced, it is possible to promote a BDC (backup domain controller) to a PDC. This promotion is only required if the original PDC is expected to be down for an extended period because it will not automatically be demoted. To promote a BDC, within Server Manager, highlight a BDC and choose Computer » Promote to Primary Domain Controller. If the original PDC is brought back online, it will have to be deliberately demoted to a Backup, where it will remain the Backup until this command is used to promote it back to its original status.
When demoting a PDC to a Backup, it is good to edit the descriptions of the computers so that an administrator does not forget which was the original.
Considerations and Recommendations for Using Server Manager
Server Manager is a tool used in controlling a network. Server Manager, itself, does not need to be secured because in order to perform actions in Server Manager, you need certain privileges and without them you cannot do anything. However, Server Manager contains some features that are good security controls.
Make sure that all computer accounts for machines no longer connected to the domain are removed. The way to browse all machines that have accounts is to use Server Manager and view all computers. Reconcile the computer names that appear here with ones that may be connected to the domain.
Administrators should take advantage of the User Sessions, Shared Resources, and Open Resources dialog boxes. These three screens can display the current connections and allow an administrator to disconnect any users that are suspected of being unauthorized. For example, an administrator might use the Shared Resources dialog box to find out if someone has connected to the hidden C$ administrative share. If that share is in use, and the administrator is the sole authorized user of it, the administrator would know to terminate that session and find out who was using it. If an administrator was to disconnect users to increase performance, they should warn those authorized users before disconnecting them. Otherwise, data loss and corruption may occur. Regardless of the reason for terminating a connection, administrators should be wary that a user simply has to reconnect in order to gain access again, unless the administrator takes further actions, such as pausing or stopping a share. Disconnection does not remove authorization.
Detailed steps for securing directory replication, described earlier in this section, are summarized here as well. To use the Directory Replication service, you must create a separate replicator account in the domain. By taking the proper steps to secure this account, you are ensuring that the account cannot be used to compromise the domain. In addition, proper permissions must be set on the replication directories so that only the appropriate users have access to those directories. The export directory, which usually contains scripts and executables that are run on client machines, should be writable by an administrator only; this precaution prevents users from putting malicious executable code in the directory.
To ensure that they are promptly notified of system errors and, more importantly, security breaches, administrators should use alerts. Administrators can send alerts to their workstations so that they are alerted even when they are sitting in their office, away from the actual PDC.
The above article is courtesy of Microsoft Press. Copyright 1999, Microsoft Corporation.
We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as -is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages. All prices for products mentioned in this document are subject to change without notice.
.gif "Link")