Re: IIS6 on W2k3 DCs

From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (sbradcpa_at_pacbell.net)
Date: 01/18/05

  • Next message: Robert Jandacek: "RE: local admin vs group policy and apps..."
    Date: Tue, 18 Jan 2005 08:14:30 -0800
    To: "Depp, Dennis M." <deppdm@ornl.gov>
    
    

    ...well... not exactly [sorry folks for hijacking this again] as we can
    indeed expand and quite frankly big server folks are drooling over our
    Remote Web workplace feature and Monitoring functions.

    You hit the 75 max brick wall and we have a transition pack that
    "un-does" the 75 limit and allows us to break the parts off into
    separate boxes.

    I'll be honest with you ...our biggest threat vector IMHO are stupid
    passwords and that Mail server [smtp auth attacks and what not].

    For small businesses in SBSland we truly recommend a web server on the
    side in a DMZ or outsourcing the web site. [see even we don't want IIS
    or any web site to be straight exposed on that DC]

    I just cringe these days at the words "best practices" as I think it's
    too "checklisty". I think you need to evaluate the entire
    risk/threat/vulnerability factors in your network and know what works
    for you. Like the upcoming Security Configuration Wizard coming out in
    Windows 2003 sp1... you run that "best practice tool" on our SBS 2003
    box and you break the monitoring email and you possibly break our
    backup. Now tell me... how did that make me safer?

    Susan

    Depp, Dennis M. wrote:

    >Tim,
    >
    >I find your comments interesting. "Organizations who want fault
    >tolerance put resources (AKA roles) on separate boxes." This has
    >nothing to do with fault tolerance. If I have a machine with 1 role or
    >a machine with 50 roles, it is still a single point of failure. The
    >fact that a machine with 50 roles affects more people does not make it
    >any more or less of a single point of failure. To eliminate the single
    >point of failure, I have to use some type of redundancy. In the case of
    >domain controllers, this redundancy is accomplished by adding a separate
    >domain controller. In the case of a web server, Network Load Balancing
    >can be used. In either case the cost of this redundancy is usually
    >double the hardware costs. For a Small Buisness, this is not practical.
    >SBS helps small buisness by providing a lower priced alternative. The
    >drawback to SBS is it limits your expandability. For a small buisness
    >this may be a good trade off.
    >
    >Dennis
    >
    >Sullivan Tim P wrote:
    >
    >
    >
    >>SBS doesnt have a choice.
    >>
    >>Your box is your domain controller, and its your exchange server, so it
    >>has to have IIS installed. No way around it. That doesnt mean its not
    >>going against a common school of thought based on good sensible
    >>practice.
    >>
    >>This seems to be a common topic, but again the more you have on one
    >>
    >>
    >box,
    >
    >
    >>the more you lose should that one box crash, have a hardware failure,
    >>
    >>
    >or
    >
    >
    >>be stolen by gypsies. It then comes down to the tolerance level of your
    >>organization to something like this.
    >>
    >>So....
    >>
    >>Organizations who want fault tolerance put resources (AKA roles) on
    >>seperate boxes. DC on one, mail on another, web server on another. Your
    >>web server may not even be on the domain.
    >>
    >>So is the desktop the biggest threat, probobly, but your DC is (I would
    >>say) your most important machine on the network, and should be
    >>
    >>
    >protected
    >
    >
    >>accordingly. Should it fail, AD, exchange, and everything else,
    >>including your desktop's and user accounts, are gone. Have fun
    >>
    >>
    >restoring
    >>from tape, or your ASR, if one was made.
    >
    >
    >>Number of employees shouldn't dictate a choice between SBS and
    >>
    >>
    >sepearate
    >
    >
    >>products, your mission requirements should.
    >>
    >>Tim
    >>
    >>
    >>-----Original Message-----
    >>From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
    >>[mailto:sbradcpa@pacbell.net]
    >>Sent: Thursday, January 13, 2005 8:12 PM
    >>To: Joe Blatz
    >>Cc: focus-ms@securityfocus.com
    >>Subject: Re: IIS6 on W2k3 DCs
    >>
    >>I may be laughed from here to kingdom come on this listserve...but I
    >>gotta ask....
    >>
    >>Common best practices for whom? Define a role please? What is "common
    >>best practices" may not be good enough for one person, but may be just
    >>fine for another. What are they doing with this box? Exposing it to
    >>the web as a web server...yeah I'd still argue that's insanity.
    >>
    >>But Small Business Server 2003 runs with IIS on our domain controller.
    >>
    >>
    >
    >
    >
    >>Where's MY security risks these days? Not my server..nope......it's my
    >>desktops where my security risks lie.
    >>
    >>Port 80 is closed on my server but IIS is still on there. On the
    >>outside is Firewall, intrusion detection and what not. Running with XP
    >>sp2 firewalls on the inside but still need to get to more use of user
    >>mode on the desktop.
    >>
    >>Am "I" freaking out over IIS on my domain controller? Nope. Not at
    >>this moment. Am I freaking out over admin rights on desktops?
    >>
    >>You betcha I am... big time.
    >>www.threatcode.com
    >>
    >>Susan...the wacko SBSer.
    >>
    >>Joe Blatz wrote:
    >>
    >>
    >>
    >>
    >>
    >>>The security guides published by many sources (NSA, MS, etc) stated
    >>>that IIS4 and IIS5 do not belong on DCs. Common best practices would,
    >>>in general, guide that an HTTP (IIS or otherwise) daemon doesn't
    >>>
    >>>
    >belong
    >
    >
    >>>
    >>>
    >>>
    >>>
    >>
    >>
    >>
    >>
    >>>on DC.
    >>>
    >>>By referring to numerous security guides written specifically for NT4
    >>>and W2k we were able to convince a customer of this. Now that IIS6 has
    >>>
    >>>
    >
    >
    >
    >>>come out, and the customer feels that IIS6 is much safer than IIS4 and
    >>>
    >>>
    >
    >
    >
    >>>IIS5, they want to put it back on their DCs.
    >>>
    >>>I am looking for sources that document that this is a bad idea. When
    >>>
    >>>
    >it
    >
    >
    >>>
    >>>
    >>>
    >>>
    >>
    >>
    >>
    >>
    >>>comes to the NSA they don't have a guide for W2k3 but have instead
    >>>pointed to Microsoft's "Windows Server 2003 Security Guide" and the
    >>>
    >>>
    >use
    >
    >
    >>>
    >>>
    >>>
    >>>
    >>
    >>
    >>
    >>
    >>>of the "High Security" settings and templates. The MS guide does
    >>>(rather subtly) show that IIS should not be on a DC. They only show
    >>>
    >>>
    >the
    >
    >
    >>>
    >>>
    >>>
    >>>
    >>
    >>
    >>
    >>
    >>>HTTP service enabled on an IIS server, but I think this may not be
    >>>direct enough for our client.
    >>>
    >>>Any help finding an explicit statement that IIS6 does not be belong on
    >>>
    >>>
    >
    >
    >
    >>>a DC would be greatly appreciated.
    >>>
    >>>__________________________________________________
    >>>Do You Yahoo!?
    >>>Tired of spam? Yahoo! Mail has the best spam protection around
    >>>http://mail.yahoo.com
    >>>
    >>>----------------------------------------------------------------------
    >>>
    >>>
    >-
    >
    >
    >>>----
    >>>----------------------------------------------------------------------
    >>>
    >>>
    >-
    >
    >
    >>>----
    >>>
    >>>
    >>>
    >>>
    >>>
    >>>
    >>>
    >>>
    >>-----------------------------------------------------------------------
    >>
    >>
    >-
    >
    >
    >>---
    >>-----------------------------------------------------------------------
    >>
    >>
    >-
    >
    >
    >>---
    >>
    >>
    >>-----------------------------------------------------------------------
    >>
    >>
    >----
    >
    >
    >>-----------------------------------------------------------------------
    >>
    >>
    >----
    >
    >
    >>
    >>
    >>
    >>
    >
    >------------------------------------------------------------------------
    >---
    >------------------------------------------------------------------------
    >---
    >
    >
    >
    >

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: Robert Jandacek: "RE: local admin vs group policy and apps..."

    Relevant Pages

    • RE: upgrade windows 2000 server to sbs2k3
      ... Server (SBS) 2003-based computer in an existing domain. ... an existing SBS 2000 or SBS 2003 domain controller for migration purposes. ... To install a SBS 2003 computer in an existing Active Directory domain, ...
      (microsoft.public.windows.server.sbs)
    • Re: wds, how many computers can be imaged at the same time
      ... SBS itself must be the FSMO roles holder. ... you can have additional member server. ... Windows Server 2008 WDS supports multicasting. ... domain controller, ...
      (microsoft.public.windows.server.general)
    • RE: the dns service cannot open active directory
      ... SBS 2003 machine as an additional domain controller of a Windows 2000 ... The new SBS 2003 computer must be a global catalog server and must be the ... On a Windows 2000 domain, you must prepare Active Directory before you ...
      (microsoft.public.windows.server.sbs)
    • Re: Small Business Server 2003 Premium Edition automatically shuts
      ... I have had to place SBS as my internal server connecting to 'Enterprise Edition' via a hub, which is then connected to my router. ... I have been told that placing SBS on the edge of my network as a domain controller is dangerous. ...
      (microsoft.public.windows.server.general)
    • Re: Client performance problem windows 2003 server...
      ... >Subject: Re: Client performance problem windows 2003 server... ... >Deploying Active Directory for Branch Office Environments ... >results from not having a domain controller in a particular site. ... incorrectly applied site coverage will be bad for clients ...
      (microsoft.public.windows.server.networking)