Re: IIS6 on W2k3 DCs

From: calin oprea (calinoprea2004_at_yahoo.com)
Date: 01/20/05

  • Next message: Ansgar -59cobalt- Wiechers: "Re: IIS6 on W2k3 DCs" 
    Date: 20 Jan 2005 08:18:16 -0000
To: focus-ms@securityfocus.com
    ('binary' encoding is not supported, stored as-is) In-Reply-To: <20050113142952.5617.qmail@web52805.mail.yahoo.com>

    Although I am just a humble professional, I feel that simple things should be kept simple. The very reason that IIS should not be kept on a DC machine is provided by Microsoft itself: the Web Edition of their 2003 Server.

    Aside from that, there's a lot to do with your design: I mean you can have a DMZ; I mean c'mon, if someone manages to hack your public network, the private one is still isolated. That is for the Web server that is exposed.
    My guess is that you can put IIS on a domain controler if and only if the server is inside your private network and you are running some n-tier system and you have a tight budget. So much for the Web server that is not exposed (inside your private network).

    regards,
    io

    >
    >The security guides published by many sources (NSA,
    >MS, etc) stated that IIS4 and IIS5 do not belong on
    >DCs. Common best practices would, in general, guide
    >that an HTTP (IIS or otherwise) daemon doesn't belong
    >on DC.
    >
    >By referring to numerous security guides written
    >specifically for NT4 and W2k we were able to convince
    >a customer of this. Now that IIS6 has come out, and
    >the customer feels that IIS6 is much safer than IIS4
    >and IIS5, they want to put it back on their DCs.
    >
    >I am looking for sources that document that this is a
    >bad idea. When it comes to the NSA they don't have a
    >guide for W2k3 but have instead pointed to Microsoft's
    >"Windows Server 2003 Security Guide" and the use of
    >the "High Security" settings and templates. The MS
    >guide does (rather subtly) show that IIS should not be
    >on a DC. They only show the HTTP service enabled on an
    >IIS server, but I think this may not be direct enough
    >for our client.
    >
    >Any help finding an explicit statement that IIS6 does
    >not be belong on a DC would be greatly appreciated.

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Ansgar -59cobalt- Wiechers: "Re: IIS6 on W2k3 DCs"

    Relevant Pages

    • Re: IIS6 on W2k3 DCs
      ... I don't think you will find somebody arguing that IIS6 must never be intalling on a domain controller. ... As a CA will sometimes be installed on a DC, you will necessarely installed a really hardened IIS 6 with limited support for ASP to make the Web Certificate enrollement page available. ... >guide for W2k3 but have instead pointed to Microsoft's ...
      (Focus-Microsoft)
    • RE: IIS6 on W2k3 DCs
      ... You dont just have to worry about threats from the internet, but from workstations. ... Now - I agree with you about best practices not applying to everyone in every situation, but having said that, there are some "best practices" that if met minimize risk, and the path you take, wont minimize it in the same way. ... But Small Business Server 2003 runs with IIS on our domain controller. ... >guide for W2k3 but have instead pointed to Microsoft's ...
      (Focus-Microsoft)
    • Re: Dienste
      ... Microsoft Windows Server 2003 Security Guide - Hardening IIS ... Daniel Melanchthon - MVP Exchange Server ...
      (microsoft.public.de.german.exchange2000.general)
    • Re: win2k3 and isa2k vulnerability scan
      ... There is a good guide produced by MS for securing IIS available from the ... >> It also reported a MS Predictable TCP sequence ... >> sequence vulnerability was to get a patch from the ...
      (microsoft.public.security)
    • Re: IP pool
      ... >create new websites in IIS i am going to assign these ... >static IP addresses to these websites. ... >>> assigning a IP address to a website.CAn you guide me in ...
      (microsoft.public.inetserver.iis.security)