Running Tomcat on a webserver that is on a workgroup

[Leo Donahue - PLANDEVX <Le...@mail.maricopa.gov>]

I've been informed that our web server is going to be disjoined from the domain and placed on a workgroup.  Is this a trend?

I don't understand how Tomcat will be able to access resources from our domain, and vice versa, unless I'm running Tomcat as a local account, and that same local account is created on the other servers on the domain.

It seems like I'm exploiting one security issue for another.

Leo Donahue

Re: Running Tomcat on a webserver that is on a workgroup

[André Warnier <aw...@ice-sa.com>]

Leo Donahue - PLANDEVX wrote:
> André,
> 
>> -----Original Message-----
>> From: André Warnier [mailto:aw@ice-sa.com]
>> Subject: Re: Running Tomcat on a webserver that is on a workgroup
>>
>> There is probably more to it than that.  
> All they are going to do is join it to a workgroup.
> 
>>> I don't understand how Tomcat will be able to access resources from
>>> our domain, and vice versa, unless I'm running Tomcat as a local
>>> account, and that same local account is created on the other servers on the domain.
>>>
>> It all depends what you mean by "resources".  It will still be able to access other hosts
>> via TCP (through the firewall, if the firewall allows it). But it will no longer be able
>> to access "shares" or windows network printers e.g.
>>
>> What kind of network resources does your webserver need ?
> 
> Windows shares. Otherwise the size of the vm that is my current web server needs to grow in order to support access to certain files, mostly images (over 500 GB), 

or I add the local account from the workgroup to the domain server containing the file share.
> 

That, as far as I know, is not possible. Ot let's say that it is at least self-defeating 
(or self-contradictory) : if you add that account to the DC, then it becomes a domain 
account, no ?
(And then of course the rightful question to ask would be what that changes, as compared 
to the current situation).

...

> 
>> What is the security issue that this change is supposed to cure ?
> 
> Other than making administration more difficult, I was hoping someone could tell me.  Tomcat runs with a least privilege account anyway.  Is this a "feel good" thing?
> 
On the base of the provided information, it can only give soothing feelings to someone who 
does not really know what they are doing.  Or someone who got some instructions from 
others who do not know what they are talking about (or don't care).  I'm thinking of some 
global diktat like "no server than can be accessed from outside should be part of the 
domain, period".

Of course, you can always
- create a local account on the other fileserver which contains the files which you need 
to access
- give that local account permissions to access those files
- and then from your local Tomcat host, "net mount" that directory, providing the username 
and password of the local account on the fileserver.
(And of course vice-versa if other systems need to access resources on the Tomcat host).

But, other than the fact that this is not easy to do if your Tomcat runs as a service, it 
does indeed create a very confusing situation in terms of management, and more security 
holes to boot. (Like the fact that the password would need to be in clear somewhere).

Perhaps you should just wrap up these various considerations and questions and send a memo 
to the responsible people asking if that is really what they want ?

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Running Tomcat on a webserver that is on a workgroup

[Leo Donahue - PLANDEVX <Le...@mail.maricopa.gov>]

André,

>-----Original Message-----
>From: André Warnier [mailto:aw@ice-sa.com]
>Subject: Re: Running Tomcat on a webserver that is on a workgroup
>
> There is probably more to it than that.  
All they are going to do is join it to a workgroup.

>> I don't understand how Tomcat will be able to access resources from
>> our domain, and vice versa, unless I'm running Tomcat as a local
>> account, and that same local account is created on the other servers on the domain.
>>
>It all depends what you mean by "resources".  It will still be able to access other hosts
>via TCP (through the firewall, if the firewall allows it). But it will no longer be able
>to access "shares" or windows network printers e.g.
>
>What kind of network resources does your webserver need ?

Windows shares. Otherwise the size of the vm that is my current web server needs to grow in order to support access to certain files, mostly images (over 500 GB), or I add the local account from the workgroup to the domain server containing the file share.

>> It seems like I'm exploiting one security issue for another.
>(trading).

Yes, trading is a better word.

>What is the security issue that this change is supposed to cure ?

Other than making administration more difficult, I was hoping someone could tell me.  Tomcat runs with a least privilege account anyway.  Is this a "feel good" thing?

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Running Tomcat on a webserver that is on a workgroup

[André Warnier <aw...@ice-sa.com>]

Leo Donahue - PLANDEVX wrote:
> I've been informed that our web server is going to be disjoined from the domain and placed on a workgroup.  Is this a trend?
> 
There is probably more to it than that.  Perhaps your webserver is being moved to some 
"demilitarised zone" (DMZ) behind some kind of firewall, and since that firewall will 
probably block SMB/CIFS/NetBios kinds of communications, effectively indeed it will no 
longer be able to participate in a Domain.

> I don't understand how Tomcat will be able to access resources from our domain, and vice versa, unless I'm running Tomcat as a local account, and that same local account is created on the other servers on the domain.
> 
It all depends what you mean by "resources".  It will still be able to access other hosts 
via TCP (through the firewall, if the firewall allows it). But it will no longer be able 
to access "shares" or windows network printers e.g.

What kind of network resources does your webserver need ?

> It seems like I'm exploiting one security issue for another.
> 
(trading).
What is the security issue that this change is supposed to cure ?


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org