Administrators can specify groups or individuals that are allowed to manage the cluster. In current versions of Server cluster, there are no fine granularity of control; either a user has rights to administer the cluster or the user does not. To grant a user or group rights to administer the cluster, the user or group must be added to the
6. The cluster administrator must ensure that applications that call the cluster APIs (ClusAPI) are run from trusted computers. Any compromise on the computers on which the applications are executing (that the cluster administrator runs) can compromise the cluster. For example, if there are untrusted users with elevated privileges on the workstation from where the administration tools are run, untrusted or
7. Access to the set of objects created and maintained by the cluster service must not be compromised by
adjusting the default settings placed on these objects to a less restrictive setting. The cluster service
utilizes a set of objects in the operating system such as files, devices, registry keys etc. These objects
have a default security setting that ensures non-privileged users cannot impact the cluster configuration
or the applications running on the cluster. Changing these security settings to less restrictive security
settings can lead to the cluster being compromised and the application data being corrupted.
same, well defined and authorized account on all nodes in the cluster.
By default, the local Administrators group is added to the cluster service security descriptor.
Adding a user or group to the cluster security descriptor means that the user can manage all aspects of the
The cluster service runs the code associated with a resource under the cluster service domain user account (this should not be confused with the account used to administer the cluster). Since a cluster administrator can add new resources to a cluster and since those resources run as the cluster service account, a cluster administrator can install code that runs with local administrator rights on the machine.
Administration tools or other applications that call the Server cluster APIs (ClusAPI) can be run from remote
workstations. The general assumption is that the cluster administrator must ensure that the applications are run
from trusted computers. Any compromise on the computers on which the applications are executing (that the
cluster administrator runs) can compromise the cluster.
When a cluster is created or the configuration is changed (such as adding a new cluster node), the Cluster
Configuration Wizard will create a log file on the machine on which the wizard is run so that in the event of
failures, the administrator can use the log for debugging and troubleshooting. This log file can contain cluster
configuration data such as cluster IP addresses, network names etc. This data could be used to extend the
attack surface if it is read by unauthorized users.
The cluster service account is the account under which the cluster service is started. The credentials for this account are stored in the service control manager (SCM) which is the Windows component that is responsible for starting the cluster service when the cluster nodes are booted.
that also has local administrative rights to each node in the cluster. The domain account must exist before the cluster is created and the Cluster Configuration Wizard will prompt you for an existing account to be used. If the account is not already a member of the local Administrators group, the Cluster Configuration Wizard will
\u2022Taking resources offline and bringing resources online
\u2022Shutting down the cluster service on nodes
\u2022Adding and removing nodes from the cluster
\u2022Adding and removing resources from the cluster
automatically add it to the local Administrator group when the cluster is created. Likewise, when nodes are added to the cluster, the cluster service account will be added to the local Administrators group. If a node is evicted from a cluster or the last node is removed, the cluster service account is not removed from the local Administrators group.
The nodes in a Server cluster use authenticated communication mechanisms to ensure that only valid members of the cluster can participate in the intra-cluster protocols. It is essential that each node in the cluster has the same cluster service account in order to provide authentication consistency. It is also a requirement of the cluster service account password utility introduced in Microsoft Windows Server 2003.
The cluster service account is just like any other domain account, it has a password that can have password
expiration policies associated with it. If the password has expiration policies assigned to it, then the cluster
account password must be changed before it expires. Failure to do so will cause the cluster to stop functioning
when the password expires (since the intra-cluster communication can no longer be successfully authenticated).
\u2022Act as part of the operating system (required for Windows 2000 and beyond).
\u2022Back up files and directories.
\u2022Increase scheduling priority.
\u2022Load and unload device drivers.
\u2022Lock pages in memory.
\u2022Log on as a service.
\u2022Restore files and directories.
This action might not be possible to undo. Are you sure you want to continue?