Re: IIS6 on W2k3 DCs

From: Danny (
Date: 01/18/05

  • Next message: Marc Fossi: "SecurityFocus Microsoft Newsletter #224"
    Date: Tue, 18 Jan 2005 16:09:12 -0500
    To: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <>

    On Tue, 18 Jan 2005 08:14:30 -0800, Susan Bradley, CPA aka Ebitz - SBS
    Rocks [MVP] <> wrote:
    > ...well... not exactly [sorry folks for hijacking this again] as we can
    > indeed expand and quite frankly big server folks are drooling over our
    > Remote Web workplace feature and Monitoring functions.

    The big server folks are drooling over the wizards?
    > You hit the 75 max brick wall and we have a transition pack that
    > "un-does" the 75 limit and allows us to break the parts off into
    > separate boxes.

    I did not know about this transition pack - I am just reading about it
    now. Once installed, does it allow you to implement another DC for AD
    replication -- an inherent limitation of SBS 2003, correct?

    > I'll be honest with you ...our biggest threat vector IMHO are stupid
    > passwords and that Mail server [smtp auth attacks and what not].

    Passwords - they are fun! If you can't afford [1] biometric
    authentication, then your best bet is to educate your users and
    enforce a policy -- thereby decreasing your threat vector.

    As for your mail server, none of my Microsoft based (Exchange is a
    popular one) email server implementations are accessible from the
    Internet. Instead, it's my personal preference to implement a real
    mail gateway MTA, such as Postfix on FreeBSD, which then seamlessly
    transports the email to the Exchange server(s). This combination is a
    weapon of mass destruction against malware, spam, and other nasty
    email borne crap. A 486 clunker could easily handle any SBS MTA
    requirements, so cost is not a factor; the aforementioned software is
    "free". You don't need to be a Unix buff to set it up, either.

    > For small businesses in SBSland we truly recommend a web server on the
    > side in a DMZ or outsourcing the web site. [see even we don't want IIS
    > or any web site to be straight exposed on that DC]

    I concur.
    > I just cringe these days at the words "best practices" as I think it's
    > too "checklisty". I think you need to evaluate the entire
    > risk/threat/vulnerability factors in your network and know what works
    > for you. Like the upcoming Security Configuration Wizard coming out in
    > Windows 2003 sp1... you run that "best practice tool" on our SBS 2003
    > box and you break the monitoring email and you possibly break our
    > backup. Now tell me... how did that make me safer?

    Personally I believe "wizards" are for non-wizards who don't know what
    they are doing and need their hand held, so why would you run the
    Wizard anyway?

    [1] - If biometrics was affordable relative to the cost of a security
    breach due to weak passwords, then we all should be able to justify
    the cost of such a system. In the mean time, I try my best to educate
    my users and enforce a balanced password policy.



  • Next message: Marc Fossi: "SecurityFocus Microsoft Newsletter #224"