Re: IIS6 on W2k3 DCs

From: Miroslaw Slawek Chorazy (mchorazy_at_depaul.edu)
Date: 01/13/05

  • Next message: Ronald Balk: "RE: Automatic Updates and Users/Power Users" 
    Date: Thu, 13 Jan 2005 10:44:09 -0600
To: <focus-ms@securityfocus.com>, <sd_wireless@yahoo.com>

    One pro-vote for IIS6 being installed on DC is related to
    your Certificate Authority which might be installed on a DC.
    The Microsoft Certificate Engine would then by default;
    1. try to obtain Certificate Revocation List updates from http
    location
    2. offer certifcate enrollment for end-users via http
     
    Slawek

    >>> Joe Blatz <sd_wireless@yahoo.com> 1/13/2005 08:29 >>>
    The security guides published by many sources (NSA,
    MS, etc) stated that IIS4 and IIS5 do not belong on
    DCs. Common best practices would, in general, guide
    that an HTTP (IIS or otherwise) daemon doesn't belong
    on DC.

    By referring to numerous security guides written
    specifically for NT4 and W2k we were able to convince
    a customer of this. Now that IIS6 has come out, and
    the customer feels that IIS6 is much safer than IIS4
    and IIS5, they want to put it back on their DCs.

    I am looking for sources that document that this is a
    bad idea. When it comes to the NSA they don't have a
    guide for W2k3 but have instead pointed to Microsoft's
    "Windows Server 2003 Security Guide" and the use of
    the "High Security" settings and templates. The MS
    guide does (rather subtly) show that IIS should not be
    on a DC. They only show the HTTP service enabled on an
    IIS server, but I think this may not be direct enough
    for our client.

    Any help finding an explicit statement that IIS6 does
    not be belong on a DC would be greatly appreciated.

    __________________________________________________
    Do You Yahoo!?
    Tired of spam? Yahoo! Mail has the best spam protection around
    http://mail.yahoo.com

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Ronald Balk: "RE: Automatic Updates and Users/Power Users"

    Relevant Pages

    • Re: IIS6 on W2k3 DCs
      ... When you add the Web Application server role to an domain controller on ... Conversation: IIS6 on W2k3 DCs ... The security guides published by many sources (NSA, ...
      (Focus-Microsoft)
    • Re: Open Certificate user Store in IIS 6
      ... > I've got a problem with opening a certificate user store under IIS6 ... > the personal certificates and makes it possible to show the details of it. ...
      (microsoft.public.dotnet.framework.aspnet)
    • Open Certificate user Store in IIS 6
      ... I've got a problem with opening a certificate user store under IIS6 ... the personal certificates and makes it possible to show the details of it. ...
      (microsoft.public.dotnet.framework.aspnet)
    • Re: Certificate Types
      ... currently have both a wildcard ssl certificate *.website.com and a ... normal ssl www.website.com. ... After install the wildcard ssl ... This is not something that can be "fixed" with IIS6 using the certificate ...
      (microsoft.public.inetserver.iis.security)
    • IIS6 / W2K3 / Client Certificate - Urgent help required!
      ... Can anyone give me a quick tutorial on creating a self-signed client ... certificate in win2K3 / IIS6, ...
      (microsoft.public.inetserver.iis.security)