RE: IIS6 on W2k3 DCs
From: Benjamin D. Goldman (bgoldman_at_kipany.com)
Date: 01/13/05
- Previous message: Eric McCarty: "RE: Automatic Updates and Users/Power Users"
- Maybe in reply to: Joe Blatz: "IIS6 on W2k3 DCs"
- Next in thread: Harlan Carvey: "RE: IIS6 on W2k3 DCs"
- Reply: Harlan Carvey: "RE: IIS6 on W2k3 DCs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 13 Jan 2005 11:36:27 -0500 To: "Joe Blatz" <sd_wireless@yahoo.com>, <focus-ms@securityfocus.com>
there is a very simple rule in securing systems that solves a ton of problems that otherwise require procedures, etc to proove.
Dont put services, applications, etc on a system if there is no good reason for them to be there. There is a long history of vulnerabilities that come down to in-opportune interactions between systems - the most famous of which is of course the subject of a famous novel.
Id love to know why your client doesnt trust your recommendations, and why they are trying to push for this in the first place - there seems to be no good reason for them to want it, and no good reason for them to constantly doubt your expertise (they did hire you in the first place)
as for proof - unfortunately, even if you get some documentation about this, you will find that there is a level of common sense involved in the arguement against putting IIS on any secure system... a web server by definition isnt secure.
-----Original Message-----
From: Joe Blatz [mailto:sd_wireless@yahoo.com]
Sent: Thursday, January 13, 2005 9:30 AM
To: focus-ms@securityfocus.com
Subject: IIS6 on W2k3 DCs
The security guides published by many sources (NSA,
MS, etc) stated that IIS4 and IIS5 do not belong on
DCs. Common best practices would, in general, guide
that an HTTP (IIS or otherwise) daemon doesn't belong
on DC.
By referring to numerous security guides written
specifically for NT4 and W2k we were able to convince
a customer of this. Now that IIS6 has come out, and
the customer feels that IIS6 is much safer than IIS4
and IIS5, they want to put it back on their DCs.
I am looking for sources that document that this is a
bad idea. When it comes to the NSA they don't have a
guide for W2k3 but have instead pointed to Microsoft's
"Windows Server 2003 Security Guide" and the use of
the "High Security" settings and templates. The MS
guide does (rather subtly) show that IIS should not be
on a DC. They only show the HTTP service enabled on an
IIS server, but I think this may not be direct enough
for our client.
Any help finding an explicit statement that IIS6 does
not be belong on a DC would be greatly appreciated.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Eric McCarty: "RE: Automatic Updates and Users/Power Users"
- Maybe in reply to: Joe Blatz: "IIS6 on W2k3 DCs"
- Next in thread: Harlan Carvey: "RE: IIS6 on W2k3 DCs"
- Reply: Harlan Carvey: "RE: IIS6 on W2k3 DCs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
