Windows Tip Sheet
Curse You, Security!
Security comes, at times, at the expense of manageability.
Every step forward we take in terms of security seems like a big step backwards
for manageability. The WinXP SP2 Windows Firewall, for example, creates enough
management issues on corporate networks that they often just disable the thing
in its "domain profile," making computers wide open when they're on
the company intranet.
But sometimes, the issues are more subtle. Try running netdom
query /domain:domain_name OU against a remote Win2003 box running SP1.
After you do, you can't run the same command on a Win2003 domain controller
(DC). Try, and you're told, "The requested API is not supported on the
remote server." Whaaat?
Yeah. Turns out SP1 has a keen new attack surface reduction feature which prevents
the built-in NetGetJoinableOUs function from running on DCs. Microsoft suggests
running the command on a member server, instead of on a DC, and confirms that
this is, in fact, a problem, not a deliberate design decision. We'll likely
see a future Service Pack that fixes the issue.
As we yell at Microsoft to hurry up with the security stuff, don't be
too harsh if they take their time about it: Locking things down can sometimes
result in a worse situation from a management perspective, so let's give
the boys in Redmond time to get it right.
Additional Resources:
About the Author
Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is Curriculum Director for IT Pro Content for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.