Sharing System (C:) drive - a bad thing?

[murraysholinder]

Hi,

I have a client with a Windows 2000 Server, Active Directory installed
and everything is (or was) good with the server. C: drive is the System
drive, D: is the Active Directory drive, E: is the CD-ROM, and F: is
the data drive (RAID 1).

My problem is with the application vendor insisting on two things:

- installing their application software (a product based on the old
Borland Paradox database) on the server. There are five workstations
and no one ever sits at the server so I cannot see any reason why this
would be a good thing.

- part 2 is much worse. After giving the application vendor access to
install the software ("had to be admin level"), the tech installed the
software on C: drive on the server, stored the client data files in a
subdirectory of C: (i.e. c:\data), shared C: drive (left C$ share alone
and created a new "C" share), granted group "Everyone" "Full Control"
to the share, went to the workstations and mapped "remembered" drives
to the new share (no script or Active Directory mapping) and then
installed the software on each workstation.

To say I was choked is an understatement. It is now my chore to
clean-up this mess as the workstations have the mapped drive peppered
in the registry w.r.t. the application and data drive. However, before
I do clean things up, I must "enlighten" the application vendor's
"tech" to how a real server is securely configured.

So that is my question to the group. Are there any TechNet articles,
MCSE documents, etc. that describe what this "tech" did as really
stupid? I need to gather as much ammo as possible to show my client and
the tech's boss that what he did was really, really idiotic.

Um, and the tech's only comment when I asked if he knew this was not a
good idea, his response was "if it was a bad idea, the OS wouldn't have
let me do it!". And I told him I gotta find a bridge or a cliff; if he
can jump off, it must not be a bad idea.

And before anyone questions my sanity, I did not have much choice in
the application software or the vendor or in preventing the dweeb from
having the admin password. However, I do have the choice of walking
away from the client, which is a very real possibility.

Thanks in advance,
Murray

 

[Richard G. Harper]

I don't know how much documentation you'll find to back up your "sharing the
root of a DC is a bad idea" issue - not that you're wrong, you are right
100% on that one - mainly because it's just about such a common-sense issue
that probably no one figured it needed documentation. Try a Google search
and limit the results to the microsoft.com domain to see if it is indeed
documented.

Some of the rest does make some sense - many programs have an option or the
ability to store some files on the server for shared access or to make it
easier to update if necessary. If the database is shared, it must be on the
server.

Or I guess I should say "a server" - installing application software on your
domain controller is a bad idea and I'm pretty sure that Microsoft has
documented that somewhere.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

 

[Kurt]

This is typical of "deployment teams" for vendors of poorly written software
who are coached to know only one way to do anything. They install the
software to the default location without regard for how the local consultant
took pains to protect the system partition (or how small it is). They share
the whole drive because it's easy. They make everyone domain administrators
or insist that everyone log on as "administrator" (rename the administrator
account - that'll really throw them for a loop!). Their software writes to
registry hives (HKLocalMachine) that require admin priveleges instead of
user-writable hives (HKCurrentUser). They usually tell you that they won't
support the software if you don't reduce your domain security to
near-nothing. Problem is your client just spent $40,000 on the product and
isn't about to have some local arguing with the deployment "specialists". So
prepare a document outlining your concerns. Have your client sign it (cover
your Butt). Then grin and bite your tongue while you share the system
partition and make everyone an administrator.

...kurt