RE: IIS6 on W2k3 DCs

From: Benjamin D. Goldman (bgoldman_at_kipany.com)
Date: 01/14/05

  • Next message: Nathaniel Hall: "PGP and Outlook" 
    Date: Fri, 14 Jan 2005 14:27:42 -0500
To: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@pacbell.net>, "Joe Blatz" <sd_wireless@yahoo.com>

    I want to interject something here that is very important.

    You dont just have to worry about threats from the internet, but from workstations.

    If your workstations are running with user=local admin, fine - thats a big issue, but even bigger is the code they can get installed on their machines that can now try to influence your DC.

    It all comes back to keeping that puppy clear and clean.

    Now - I agree with you about best practices not applying to everyone in every situation, but having said that, there are some "best practices" that if met minimize risk, and the path you take, wont minimize it in the same way.

    -----Original Message-----
    From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
    [mailto:sbradcpa@pacbell.net]
    Sent: Thursday, January 13, 2005 10:12 PM
    To: Joe Blatz
    Cc: focus-ms@securityfocus.com
    Subject: Re: IIS6 on W2k3 DCs

    I may be laughed from here to kingdom come on this listserve...but I
    gotta ask....

    Common best practices for whom? Define a role please? What is "common
    best practices" may not be good enough for one person, but may be just
    fine for another. What are they doing with this box? Exposing it to
    the web as a web server...yeah I'd still argue that's insanity.

    But Small Business Server 2003 runs with IIS on our domain controller.
    Where's MY security risks these days? Not my server..nope......it's my
    desktops where my security risks lie.

    Port 80 is closed on my server but IIS is still on there. On the
    outside is Firewall, intrusion detection and what not. Running with XP
    sp2 firewalls on the inside but still need to get to more use of user
    mode on the desktop.

    Am "I" freaking out over IIS on my domain controller? Nope. Not at
    this moment. Am I freaking out over admin rights on desktops?

    You betcha I am... big time.
    www.threatcode.com

    Susan...the wacko SBSer.

    Joe Blatz wrote:

    >The security guides published by many sources (NSA,
    >MS, etc) stated that IIS4 and IIS5 do not belong on
    >DCs. Common best practices would, in general, guide
    >that an HTTP (IIS or otherwise) daemon doesn't belong
    >on DC.
    >
    >By referring to numerous security guides written
    >specifically for NT4 and W2k we were able to convince
    >a customer of this. Now that IIS6 has come out, and
    >the customer feels that IIS6 is much safer than IIS4
    >and IIS5, they want to put it back on their DCs.
    >
    >I am looking for sources that document that this is a
    >bad idea. When it comes to the NSA they don't have a
    >guide for W2k3 but have instead pointed to Microsoft's
    >"Windows Server 2003 Security Guide" and the use of
    >the "High Security" settings and templates. The MS
    >guide does (rather subtly) show that IIS should not be
    >on a DC. They only show the HTTP service enabled on an
    >IIS server, but I think this may not be direct enough
    >for our client.
    >
    >Any help finding an explicit statement that IIS6 does
    >not be belong on a DC would be greatly appreciated.
    >
    >__________________________________________________
    >Do You Yahoo!?
    >Tired of spam? Yahoo! Mail has the best spam protection around
    >http://mail.yahoo.com
    >
    >---------------------------------------------------------------------------
    >---------------------------------------------------------------------------
    >
    >
    >
    >

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Nathaniel Hall: "PGP and Outlook"

    Relevant Pages

    • Re: IIS6 on W2k3 DCs
      ... Common best practices for whom? ... But Small Business Server 2003 runs with IIS on our domain controller. ... >guide for W2k3 but have instead pointed to Microsoft's ...
      (Focus-Microsoft)
    • Re: IIS6 on W2k3 DCs
      ... I don't think you will find somebody arguing that IIS6 must never be intalling on a domain controller. ... As a CA will sometimes be installed on a DC, you will necessarely installed a really hardened IIS 6 with limited support for ASP to make the Web Certificate enrollement page available. ... >guide for W2k3 but have instead pointed to Microsoft's ...
      (Focus-Microsoft)
    • Re: IIS6 on W2k3 DCs
      ... The very reason that IIS should not be kept on a DC machine is provided by Microsoft itself: the Web Edition of their 2003 Server. ... >guide for W2k3 but have instead pointed to Microsoft's ... >Any help finding an explicit statement that IIS6 does ...
      (Focus-Microsoft)
    • Re: Management Point not installing
      ... and IIS in AD and two XP workstations. ... and I created the smsservice user, gave it domain admin and local admin ... > I then ran the SMS service viewer (I am at home and I can't remember the ...
      (microsoft.public.sms.setup)
    • Re: .NET Objekte aus Java heraus ansteuern
      ... C# WebService einen Internet Information Server auf der Maschine. ... Da das Modul in Zukunft nicht nur auf einem Server deployed werden soll, ... sondern auch auf normalen Workstations benötige ich eine Integration ohne ... Mein XP Pro hat ein IIS, kann man den nicht fuer .Net verwenden? ...
      (de.comp.lang.java)
    • Quantcast