RE: IIS6 on W2k3 DCs

From: Eric McCarty (eric_at_piteduncan.com)
Date: 01/15/05

  • Next message: Laura A. Robinson: "RE: IIS6 on W2k3 DCs" 
    Date: Fri, 14 Jan 2005 15:13:37 -0800
To: "Harlan Carvey" <keydet89@yahoo.com>, "Benjamin D. Goldman" <bgoldman@kipany.com>, "Joe Blatz" <sd_wireless@yahoo.com>, <focus-ms@securityfocus.com>

    I wasn't going to comment, and probably shouldn't but its Friday so what
    the hey.

    What I don't understand is, WHY you need to run IIS on a DC, is it that
    hard or costly to setup a non-DC Web Server?. What plausible reason
    other than costs would you have for setting up a web server from a
    company with a history of prolific web server holes (Remember Unicode
    Directory Traversal?, Default.ida ??? Anyone?) on the same server you
    rely on for Domain operations. I just don't get it.

    So here's number two.

    DO NOT RUN IIS ON W2K3 DC's

    -----Original Message-----
    From: Harlan Carvey [mailto:keydet89@yahoo.com]
    Sent: Friday, January 14, 2005 11:07 AM
    To: Benjamin D. Goldman; Joe Blatz; focus-ms@securityfocus.com
    Subject: RE: IIS6 on W2k3 DCs

    Joe,

    Here, I'll do this to help...

    DO NOT RUN IIS ON W2K3 DCs.

    Take that to your customer.

    If you need reasoning, then consider this...anytime you add new
    functionality (ie, a web server) to a system, you increase the attack
    surface and the management overhead.

    =====
    ------------------------------------------
    Harlan Carvey, CISSP
    "Windows Forensics and Incident Recovery"
    http://www.windows-ir.com
    http://windowsir.blogspot.com
    ------------------------------------------

    ------------------------------------------------------------------------ 

    ---
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------
  • Next message: Laura A. Robinson: "RE: IIS6 on W2k3 DCs"

    Relevant Pages

    • Re: Jeez... how do I even start ????
      ... > When I would start IIS from the Administrative tools, ... > situation, with the same resolution as described in the msdn article, so ... A lot of these other posts also mentioned the ASPNET user. ... > the web server was running on this machine. ...
      (microsoft.public.dotnet.framework.aspnet)
    • Re: preventing username enumeration on NT4
      ... Nimda Worm Shows You Can't Always Patch Fast Enough ... should start to investigate less-vulnerable Web server products. ... Microsoft's Internet Information Server (IIS), ...
      (comp.security.misc)
    • Re: preventing username enumeration on NT4
      ... Nimda Worm Shows You Can't Always Patch Fast Enough ... should start to investigate less-vulnerable Web server products. ... Microsoft's Internet Information Server (IIS), ...
      (comp.os.ms-windows.nt.admin.security)
    • Re: preventing username enumeration on NT4
      ... Nimda Worm Shows You Can't Always Patch Fast Enough ... should start to investigate less-vulnerable Web server products. ... Microsoft's Internet Information Server (IIS), ...
      (comp.os.ms-windows.nt.admin.security)
    • Re: preventing username enumeration on NT4
      ... Nimda Worm Shows You Can't Always Patch Fast Enough ... should start to investigate less-vulnerable Web server products. ... Microsoft's Internet Information Server (IIS), ...
      (comp.security.misc)