RE: IIS6 on W2k3 DCs

From: Jim Harrison (ISA) (jmharr_at_microsoft.com)
Date: 01/18/05

  • Next message: Terry: "RE: PGP and Outlook" 
    Date: Mon, 17 Jan 2005 18:03:40 -0800
To: <focus-ms@securityfocus.com>

    There's no question that:
    1 - "less is more" in terms of attack surface and relative risk
    2 - "spread the risk" is also a good best practice
    3 - SBS provides the best possible compromise of functionality and
    security for an "all in one" deployment

    There's also no arguing the fact that many companies large and small are
    trying to shoehorn as much into one server as possible. Witness the
    proliferation of "virtualization for its own sake" ads in your favorite
    IT-targeted publication; "Save $$! Reduce costs & headcount! Stuff all
    your resources into virtual machines!!"

    Unfortunately, this has also evolved into "What's the difference between
    virtual servers and just stuffing it all onto one machine?" You don't
    have to tell me, but beware; the customers are clamoring for just these
    answers in the "must reduce IT $$" jungle.
    Those that don't want to use VM/VS end up with this exact question - how
    to get more from what we have (are buying)?

    Ferinstance, I recently fielded a query that wanted to combine Win2K3,
    ISA, DC, IIS, Exch, SMS, &....
    When I told them that SBS took over a year to get this done right, the
    response was "so what; we don't want / can't use SBS; just tell us if
    this is possible / supported."
    This company (can't tell you; I'd have to kill you all -
    bwaaaa-ha-ha-ha) has plenty of $$ to deploy these services properly, but
    just won't do it.

    HTH,

    Jim Harrison
    Security Business Unit (ISA SE)
    "I have seen the suitcase in the trash and lived to tell the tale"

    -----Original Message-----
    From: Eric McCarty [mailto:eric@piteduncan.com]
    Sent: Friday, January 14, 2005 3:14 PM
    To: Harlan Carvey; Benjamin D. Goldman; Joe Blatz;
    focus-ms@securityfocus.com
    Subject: RE: IIS6 on W2k3 DCs

    I wasn't going to comment, and probably shouldn't but its Friday so what
    the hey.

    What I don't understand is, WHY you need to run IIS on a DC, is it that
    hard or costly to setup a non-DC Web Server?. What plausible reason
    other than costs would you have for setting up a web server from a
    company with a history of prolific web server holes (Remember Unicode
    Directory Traversal?, Default.ida ??? Anyone?) on the same server you
    rely on for Domain operations. I just don't get it.

    So here's number two.

    DO NOT RUN IIS ON W2K3 DC's

    -----Original Message-----
    From: Harlan Carvey [mailto:keydet89@yahoo.com]
    Sent: Friday, January 14, 2005 11:07 AM
    To: Benjamin D. Goldman; Joe Blatz; focus-ms@securityfocus.com
    Subject: RE: IIS6 on W2k3 DCs

    Joe,

    Here, I'll do this to help...

    DO NOT RUN IIS ON W2K3 DCs.

    Take that to your customer.

    If you need reasoning, then consider this...anytime you add new
    functionality (ie, a web server) to a system, you increase the attack
    surface and the management overhead.

    =====
    ------------------------------------------
    Harlan Carvey, CISSP
    "Windows Forensics and Incident Recovery"
    http://www.windows-ir.com
    http://windowsir.blogspot.com
    ------------------------------------------

    ------------------------------------------------------------------------ 

    ---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------
  • Next message: Terry: "RE: PGP and Outlook"