Re: IIS6 on W2k3 DCs
From: Fabrice Aubry (fabrice.aubry_at_wanadooportails.com)
Date: 01/14/05
- Previous message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: IIS6 on W2k3 DCs"
- Maybe in reply to: Joe Blatz: "IIS6 on W2k3 DCs"
- Next in thread: Soluk, Kirk: "RE: IIS6 on W2k3 DCs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 14 Jan 2005 18:02:32 -0000 To: focus-ms@securityfocus.com('binary' encoding is not supported, stored as-is) In-Reply-To: <20050113142952.5617.qmail@web52805.mail.yahoo.com>
I don't think you will find somebody arguing that IIS6 must never be intalling on a domain controller.
As a CA will sometimes be installed on a DC (Management not wanting to give you a dedicated server), you will necessarely installed a really hardened IIS 6 with limited support for ASP to make the Web Certificate enrollement page available.
As this is not best pratice, it's reality for lots of us.
In fact you're indirectly pointing the question on having multirole DC.
Reality, once again is that budget is a concern when chosing to have dedicated servers.
On another side, if you don"t have scripts, management/IDS software to monitor security, having fewer machines (even multirole) is better to have "keep a close eye".
Web Management interfaces with few highly authentificated users (Certificates) through W2K3/IIS6 is not a "security interdiction" to my point
Public Web sites, Intranets is another problem but comes to bad system design (Or Money) when run on DC's.
Fabrice Aubry
SysAdmin, Wanadoo Hosting
>Received: (qmail 15751 invoked from network); 13 Jan 2005 16:22:09 -0000
>Received: from outgoing.securityfocus.com (HELO outgoing3.securityfocus.com) (205.206.231.27)
> by mail.securityfocus.com with SMTP; 13 Jan 2005 16:22:09 -0000
>Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
> by outgoing3.securityfocus.com (Postfix) with QMQP
> id 1C7CB236F6C; Thu, 13 Jan 2005 09:06:01 -0700 (MST)
>Mailing-List: contact focus-ms-help@securityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <focus-ms.list-id.securityfocus.com>
>List-Post: <mailto:focus-ms@securityfocus.com>
>List-Help: <mailto:focus-ms-help@securityfocus.com>
>List-Unsubscribe: <mailto:focus-ms-unsubscribe@securityfocus.com>
>List-Subscribe: <mailto:focus-ms-subscribe@securityfocus.com>
>Delivered-To: mailing list focus-ms@securityfocus.com
>Delivered-To: moderator for focus-ms@securityfocus.com
>Received: (qmail 21158 invoked from network); 13 Jan 2005 14:34:25 -0000
>Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys
>DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
> s=s1024; d=yahoo.com;
> b=CwsaU5ix8GxkBeGCSTu0yTQfk6GK6ircYps8y7HVf9SbuU9/TAdHTL1A48sFWSrJ1ex1oitTpruAcqahhYGoji0Kf8kxiDJ28Xy7zaylhzRnFL9HbwuF4cS629UTfh02Yl0kGzmms548Q//TGoO9w2dErU8D6s1g+4VFd/7gAFE= ;
>Message-ID: <20050113142952.5617.qmail@web52805.mail.yahoo.com>
>Date: Thu, 13 Jan 2005 06:29:52 -0800 (PST)
>From: Joe Blatz <sd_wireless@yahoo.com>
>Subject: IIS6 on W2k3 DCs
>To: focus-ms@securityfocus.com
>MIME-Version: 1.0
>Content-Type: text/plain; charset=us-ascii
>
>The security guides published by many sources (NSA,
>MS, etc) stated that IIS4 and IIS5 do not belong on
>DCs. Common best practices would, in general, guide
>that an HTTP (IIS or otherwise) daemon doesn't belong
>on DC.
>
>By referring to numerous security guides written
>specifically for NT4 and W2k we were able to convince
>a customer of this. Now that IIS6 has come out, and
>the customer feels that IIS6 is much safer than IIS4
>and IIS5, they want to put it back on their DCs.
>
>I am looking for sources that document that this is a
>bad idea. When it comes to the NSA they don't have a
>guide for W2k3 but have instead pointed to Microsoft's
>"Windows Server 2003 Security Guide" and the use of
>the "High Security" settings and templates. The MS
>guide does (rather subtly) show that IIS should not be
>on a DC. They only show the HTTP service enabled on an
>IIS server, but I think this may not be direct enough
>for our client.
>
>Any help finding an explicit statement that IIS6 does
>not be belong on a DC would be greatly appreciated.
>
>__________________________________________________
>Do You Yahoo!?
>Tired of spam? Yahoo! Mail has the best spam protection around
>http://mail.yahoo.com
>
>---------------------------------------------------------------------------
>---------------------------------------------------------------------------
>
>
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: IIS6 on W2k3 DCs"
- Maybe in reply to: Joe Blatz: "IIS6 on W2k3 DCs"
- Next in thread: Soluk, Kirk: "RE: IIS6 on W2k3 DCs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
