Re: IIS6 on W2k3 DCs

From: Ansgar -59cobalt- Wiechers (bugtraq_at_planetcobalt.net)
Date: 01/19/05

  • Next message: Paul Aviles: "Dhcp security" 
    Date: Wed, 19 Jan 2005 18:00:19 +0100
To: focus-ms@securityfocus.com

    On 2005-01-19 Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:
    > There's that checklist again :-)
    >
    > My sister's large entity that she works at, I'm sure does not put IIS
    > on their DC... yet they allow any employee to click on any email
    > attachment.
    >
    > Yeah... they don't have IIS on their DC....meet that security best
    > practice all right.. but they've got a slightly bigger issue in my
    > book [and have the virus infections and malware to prove it].
    >
    > All I'm saying is that I cringe when hearing "blanket statements".
    > For the space that 99.9999999% of the folks on this list work in your
    > statement is correct.
    >
    > For one wacko SBSer on this list, I still would argue that we can take
    > the risk and so far with IIS 6, prove it on regular basis in the
    > newsgroups.

    The real - and AFAICS still unanswered - question here is: why would
    anyone want a web server on his Domain Controller? Because if there
    isn't a Damn Good Reason(tm) for it, increasing the attack surface would
    be a pretty stupid thing to do. Checklist or not, one simply doesn't
    install software to prove it can be done.

    Regards
    Ansgar Wiechers 

    -- 
"Those who would give up liberty for a little temporary safety
deserve neither liberty nor safety, and will lose both."
--Benjamin Franklin
---------------------------------------------------------------------------
---------------------------------------------------------------------------
  • Next message: Paul Aviles: "Dhcp security"