RE: IIS6 on W2k3 DCs
From: Soluk, Kirk (kmsoluk_at_umich.edu)
Date: 01/14/05
- Previous message: Harlan Carvey: "RE: IIS6 on W2k3 DCs"
- Maybe in reply to: Joe Blatz: "IIS6 on W2k3 DCs"
- Next in thread: Benjamin D. Goldman: "RE: IIS6 on W2k3 DCs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 14 Jan 2005 14:21:43 -0500 To: <focus-ms@securityfocus.com>
Also, if I am not mistaken, if you are running IIS on a member server,
then promote that member server to a DC, the DCPromo process will
disable IIS by default. That's a pretty strong recommendation.
Additionally, if you start running IIS on multiple DC's, the problem
that Alberto points out really starts to become exacerbated. You end up
with IUSR_<machinename> domain accounts for each DC that you have with
user rights assigned to them etc.
Kirk Soluk
Information Technology Security Services (ITSS)
University of Michigan
-----Original Message-----
From: Security [mailto:Security@mujica.com]
Sent: Thursday, January 13, 2005 4:06 PM
To: focus-ms@securityfocus.com
Subject: Re: IIS6 on W2k3 DCs
Hello Joe,
Even though I cannot remember an exact place where it is documented, I
can tell you this is a bad idea.
IUSR is a domain account and if it is compromised it can reach the
entire domain.
The server itself does not have a local SAM, so if it is compromised,
the entire domain is compromised.
Web servers, since they are open to the public, have more of an attack
surface than a domain controller should have.
When you add the Web Application server role to an domain controller on
w2k3 there is a warning telling you that you shouldn't do it.
Your client should simply trust you on this....
Good luck.
Alberto Mujica
-----Original Message-----
From: Joe Blatz [mailto:sd_wireless@yahoo.com]
Posted At: Thursday, January 13, 2005 9:30 AM
Posted To: Security
Conversation: IIS6 on W2k3 DCs
Subject: IIS6 on W2k3 DCs
The security guides published by many sources (NSA,
MS, etc) stated that IIS4 and IIS5 do not belong on
DCs. Common best practices would, in general, guide
that an HTTP (IIS or otherwise) daemon doesn't belong
on DC.
By referring to numerous security guides written
specifically for NT4 and W2k we were able to convince
a customer of this. Now that IIS6 has come out, and
the customer feels that IIS6 is much safer than IIS4
and IIS5, they want to put it back on their DCs.
I am looking for sources that document that this is a
bad idea. When it comes to the NSA they don't have a
guide for W2k3 but have instead pointed to Microsoft's
"Windows Server 2003 Security Guide" and the use of
the "High Security" settings and templates. The MS
guide does (rather subtly) show that IIS should not be
on a DC. They only show the HTTP service enabled on an
IIS server, but I think this may not be direct enough
for our client.
Any help finding an explicit statement that IIS6 does
not be belong on a DC would be greatly appreciated.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
------------------------------------------------------------------------
--- ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- Previous message: Harlan Carvey: "RE: IIS6 on W2k3 DCs"
- Maybe in reply to: Joe Blatz: "IIS6 on W2k3 DCs"
- Next in thread: Benjamin D. Goldman: "RE: IIS6 on W2k3 DCs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
