Re: IIS6 on W2k3 DCs

From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (sbradcpa_at_pacbell.net)
Date: 01/19/05

  • Next message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: IIS6 on W2k3 DCs" 
    Date: Wed, 19 Jan 2005 06:10:10 -0800
To: "Depp, Dennis M." <deppdm@ornl.gov>

    There's that checklist again :-)

    My sister's large entity that she works at, I'm sure does not put IIS on
    their DC... yet they allow any employee to click on any email attachment.

    Yeah... they don't have IIS on their DC....meet that security best
    practice all right.. but they've got a slightly bigger issue in my book
    [and have the virus infections and malware to prove it].

    All I'm saying is that I cringe when hearing "blanket statements". For
    the space that 99.9999999% of the folks on this list work in your
    statement is correct.

    For one wacko SBSer on this list, I still would argue that we can take
    the risk and so far with IIS 6, prove it on regular basis in the
    newsgroups.

    Susan

    Depp, Dennis M. wrote:

    >The fact that IIS can be made secure does not mean it should be
    >installed on a domain controller. When IIS is installed on a Domain
    >Controller the impact of a sucessful hack is much greater than when it
    >is installed on a member server. If I compromise an IIS machine, I can
    >gain access to all the user accounts stored on this machine. In the
    >case of a Domain Controller, this gives me access to every account in
    >the Domain. From here I have access to all the data stored on Windows
    >machines in your network.
    >
    >If the machine that is compromised is a member IIS server the hacker
    >will only have access to the local accounts and passwords. While they
    >can still use this to attack the domain controllers, they will have some
    >additional effort involved.
    >
    >While I can protect each IIS server equally well, the damage potential
    >of the IIS server on a DC is much greater. This is why it is considered
    >a best security practice not to place IIS on a DC.
    >
    >Dennis
    >
    >-----Original Message-----
    >From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
    >[mailto:sbradcpa@pacbell.net]
    >Sent: Wednesday, January 19, 2005 1:55 AM
    >To: Depp, Dennis M.
    >Cc: Sullivan Tim P; focus-ms@securityfocus.com
    >Subject: Re: IIS6 on W2k3 DCs
    >
    >Aren't we all missing something here as far as this discussion of
    >additional protection and IIS in general?
    >
    >Didn't an IIS server survive OpenHackIV with IIS, SQL and IPsec? [IIS
    >5 even]
    >
    >http://www.microsoft.com/technet/community/columns/secmgmt/sm0105.mspx
    >http://www.microsoft.com/technet/community/columns/secmgmt/sm121504.mspx
    >
    >*Using IPsec for Network Protection. Part 1 of 2*
    >Last month I introduced you to IPsec, a wonderful but sometimes
    >bewildering bit of technology. Now that you understand what it is and
    >how it works, this month I'd like to highlight IPSec's ability to help
    >solve three common security problems.
    >
    >http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetse
    >c/html/openhack.asp
    >
    >I know about it...but know that I need wizards to help me do it
    >right..... but that's just me. I like wizards to help me do my job.
    >Command lines that include "netsh ipsec static add filter" needs to be
    >made easier IMHO.
    >
    >Susan
    >
    >
    >Depp, Dennis M. wrote:
    >
    >
    >
    > 

    -- 
An open letter to the Security Community:: 
http://msmvps.com/bradley/archive/2004/12/12/23540.aspx
---------------------------------------------------------------------------
---------------------------------------------------------------------------
  • Next message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: IIS6 on W2k3 DCs"

    Relevant Pages

    • Re: NT AuthorizationAnonyomous logon error
      ... SQL BI Product Unit ... What I am doing now is creating a CAB file coping to the IIS ... >>> I have a SQL box and a IIS server. ... >>> Server and have place several cube that I wish client to access via a ...
      (microsoft.public.sqlserver.olap)
    • Re: How negative is IIS running on MyDCChildDomain ?
      ... You are correct that by adding IIS to your domain controller, ... you are OK with the security risks and this server is not accessible from ...
      (microsoft.public.win2000.security)
    • Re: How negative is IIS running on MyDCChildDomain ?
      ... > You are correct that by adding IIS to your domain controller, ... > you are OK with the security risks and this server is not accessible from ...
      (microsoft.public.win2000.security)
    • Re: IIS6 on W2k3 DCs
      ... IIS like any other web server can not be made secure! ... >installed on a domain controller. ... >a best security practice not to place IIS on a DC. ...
      (Focus-Microsoft)
    • RE: IIS6 on W2k3 DCs
      ... installed on a domain controller. ... When IIS is installed on a Domain ... While I can protect each IIS server equally well, ... Didn't an IIS server survive OpenHackIV with IIS, SQL and IPsec? ...
      (Focus-Microsoft)