Re: iis6.0 on a dc - does anyone see any security holes?
From: Bernard (qbernard_at_hotmail.com.discuss)
Date: 11/04/04
- Next message: Glenn L: "Re: CPU Usage spikes to 100% and back to 7%"
- Previous message: Todd J Heron: "Re: Native Mode possible problems...help!"
- In reply to: Lanwench [MVP - Exchange]: "Re: iis6.0 on a dc - does anyone see any security holes?"
- Next in thread: Nick Alesci: "Re: iis6.0 on a dc - does anyone see any security holes?"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 4 Nov 2004 12:38:25 +0800
If that's need to be done, it can be done.
just make sure the IIS is protected and secure.
Take for example a requirement to use MSMQ in your web app, hence you need
AD.
so instead of mixing with exiting AD, you can create a new AD itself on the
box, isolate it totally and even it get compromised - you got one box to
lost. that's it.
so it all depend on your requirements and resources you have, if it needs to
be done, find the best way to fulfill it while not ignoring security, budget
and etc issues.
-- Regards, Bernard Cheah http://www.tryiis.com/ http://support.microsoft.com/ http://www.msmvps.com/bernard/ "Lanwench [MVP - Exchange]" <lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote in message news:#yPZHqhwEHA.2732@TK2MSFTNGP12.phx.gbl... > Nick Alesci wrote: > > So bottom line is make iis a member server and a DC. > > Why? Why not follow what Laura suggested and get the Windows 2003 Web > Edition & put it safely in your DMZ? > > > How about the > > use of certificates for the outside users? > > > > "Laura E. Hunter (MVP)" wrote: > > > >> Running IIS on a DC is generally discouraged because it opens up too > >> many potential attack vectors against your Active Directory > >> database. If an attacker "0WNZ0R'S" your IIS box and it's running > >> on a member server, then all they have access to are local resources > >> and the local user accounts on the box. If the same attack happens > >> and your IIS box is a DC? Said hacker has the keys to the kingdom - > >> they can create user accounts, sniff/change passwords, change > >> security policies to lock you out of your own network, and the list > >> goes on and on. > >> > >> Throw up an IIS server running on 2K3 Web Edition and nothing else, > >> you'll sleep better at night. > >> > >> > >> > >> -- > >> ***************** > >> Laura E. Hunter - MVP > >> Replies to Newsgroup only > >> All advice offered as-is, no warranties expressed or implied > >> "Nick Alesci" <NickAlesci@discussions.microsoft.com> wrote in message > >> news:0A8CD0D3-B3BC-4C44-ADB2-ECECF77E252E@microsoft.com... > >>> We have some developers creating a home grown app in .net that uses > >>> owc11 and > >>> runs on iis6. The web based app should be accessible from the > >>> internet. Also outside clients (users not part of our domain) might > >>> use this app. Right now the developers are using the users' domain > >>> credentials for authentication. This poses a problem because i > >>> don't feel comfortable creating temporary users accounts in my > >>> domain for an outside client/user john smith. > >>> > >>> So my solution to this problem was/is to move the iis server to our > >>> DMZ. DCPROMO it to a DC in a separate forest; and create a one way > >>> trust from our > >>> local domain. This way the local domain users can use the > >>> resources in the > >>> other forest; plus i can manage temporary accounts; enforce > >>> lockout; logon times; and manage one set of passwords. If the > >>> machine gets compromised i can always rebuild it and our local > >>> domain is never affected. Does anyone see any problems with this > >>> or have any suggestions; any other ideas on how this can be > >>> implemented? Am i correct in not feeling comfortable running iis > >>> on a DC? > >>> > >>> BTW - I'm not sure how much security is being built into this app > >>> from the developers. > >>> > >>> Thanks in Advance, > >>> > >>> Nick > >
- Next message: Glenn L: "Re: CPU Usage spikes to 100% and back to 7%"
- Previous message: Todd J Heron: "Re: Native Mode possible problems...help!"
- In reply to: Lanwench [MVP - Exchange]: "Re: iis6.0 on a dc - does anyone see any security holes?"
- Next in thread: Nick Alesci: "Re: iis6.0 on a dc - does anyone see any security holes?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
