Reply to post: Bad architecture...

Customers furious over days-long outage as A2 Hosting scores a D- in Windows uptime

Joe Montana

Bad architecture...

Typically for convenience a company will have all their windows boxes in a domain, and then staff will be logging in as domain admin (or using service accounts with domain admin privs etc) and those creds can be extracted from a single compromised system and used to access all the others. Malware can also automate this process and will harvest creds and spray them against other hosts.

It's possible to manage windows differently, but also a lot more hassle to do so so very few places do.

Also your domain controller needs SMB open from the domain members, and if you have the right creds you can login over SMB and take control of the machine - so you can spread from one host to the dc, and then from the dc to other hosts. That's assuming that the individual devices don't allow direct SMB connections between each other (which often they do anyway).

Unix is much easier to manage (and more commonly configured so) using ssh keys, so if a single box gets compromised all you get is the public keys - which are useless.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022