Re: iis6.0 on a dc - does anyone see any security holes?

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Laura E. Hunter \(MVP\) ("Laura)
Date: 11/03/04 

Date: Wed, 3 Nov 2004 16:49:44 -0500

Running IIS on a DC is generally discouraged because it opens up too many
potential attack vectors against your Active Directory database. If an
attacker "0WNZ0R'S" your IIS box and it's running on a member server, then
all they have access to are local resources and the local user accounts on
the box. If the same attack happens and your IIS box is a DC? Said hacker
has the keys to the kingdom - they can create user accounts, sniff/change
passwords, change security policies to lock you out of your own network, and
the list goes on and on.

Throw up an IIS server running on 2K3 Web Edition and nothing else, you'll
sleep better at night. 

-- 
*****************
Laura E. Hunter - MVP
Replies to Newsgroup only
All advice offered as-is, no warranties expressed or implied
"Nick Alesci" <NickAlesci@discussions.microsoft.com> wrote in message 
news:0A8CD0D3-B3BC-4C44-ADB2-ECECF77E252E@microsoft.com...
> We have some developers creating a home grown app in .net that uses owc11 
> and
> runs on iis6.  The web based app should be accessible from the internet.
> Also outside clients (users not part of our domain) might use this app.
> Right now the developers are using the users' domain credentials for
> authentication. This poses a problem because i don't feel comfortable
> creating temporary users accounts in my domain for an outside client/user
> john smith.
>
> So my solution to this problem was/is to move the iis server to our DMZ.
> DCPROMO it to a DC in a separate forest; and create a one way trust from 
> our
> local domain.  This way the local domain users can use the resources in 
> the
> other forest; plus i can manage temporary accounts; enforce lockout; logon
> times; and manage one set of passwords.  If the machine gets compromised i
> can always rebuild it and our local domain is never affected.  Does anyone
> see any problems with this or have any suggestions; any other ideas on how
> this can be implemented?  Am i correct in not feeling comfortable running 
> iis
> on a DC?
>
> BTW - I'm not sure how much security is being built into this app from the
> developers.
>
> Thanks in Advance,
>
> Nick
>

Relevant Pages

  • Re: I was hacked
    ... Only me noticing that the requests seemed to come from a LAN? ... To secure IIS somewhat, remove all the virtual directories even if they are ... > Do you have some kind of application level firewall on this machine? ... a series of attempts to attack IIS that the IIS log claimed were coming ...
    (microsoft.public.inetserver.iis.security)
  • Re: I was hacked
    ... I suspect the firewall looks like a typical address that a NAT ... use Apache to proxypass all requests to IIS and that way I can have some ... script to check if the url is valid and if so execute the script... ... :>: a series of attempts to attack IIS that the IIS log claimed were ...
    (microsoft.public.inetserver.iis.security)
  • RE: new IIS worm? (rcp lsass.exe)
    ... Subject: new IIS worm? ... > We have seen this attack from 4 different sources since Sept. 16, ... > This list is provided by the SecurityFocus ARIS analyzer service. ... > and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • RE: Attack(s) caught by Okena
    ... The third event is not an attack. ... You will find that the mailslot message occurs when the IIS server is ... The default IIS policy is restrictive and denies access to resource we did ... Firewall and IIS policy modules. ...
    (Incidents)
  • Re: [Full-Disclosure] Microsoft and Security
    ... anybody got a packet dump of the attack yet so we can regex out this ... vuln against IIS? ... It is quite terrible that this IE vuln has gone on now for two weeks - ... > A vulnerability: ...
    (Full-Disclosure)