|
|
On Sat, 13 Oct 2007 17:23:37 -0400, Warp wrote:
> Jim Henderson <nos### [at] nospamcom> wrote:
>> Sure, so what you do is lock it in a room where only authorized users
>> can access it,
>
> Optimally only the person who knows the root password has direct
> access
> to the computer.
This is certainly true for servers. Unfortunately, we also have these
things called "users" who use computers. ;-)
> In which case it doesn't really matter if the root password can be
> reset locally or not.
Yes.
BTW, this was considered very standard practice for NetWare (still is,
for that matter) - physical console access = access to everything. It
amazed me that some systems admins never understood that concept - and
put their servers in, say, the middle of their office space.
Similarly with Windows, in a retail environment I used to work in a few
years ago, the servers were put in the store managers office. Guess
where many store managers put shoplifters they catch while waiting for
the police, frequently unsupervised....
Now make each of those servers a domain controller. Yep, we had to plan
our designs around the idea that someone could walk off with the hard
drives from the system, compromising a domain of 500-1500 DCs.
"Not pretty" doesn't even begin to describe the amount of traffic
generated by a global password change with that many DCs. With the WAN
in place, I estimated 4 months worth of traffic at 100% network
utilization.
Jim
Post a reply to this message
|
|