Re: IIS6 on W2k3 DCs
From: Andrew Rice (the_integrator_at_tesco.net)
Date: 01/19/05
- Previous message: Paul Aviles: "Dhcp security"
- In reply to: Depp, Dennis M.: "RE: IIS6 on W2k3 DCs"
- Next in thread: Devin Ganger: "RE: IIS6 on W2k3 DCs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 19 Jan 2005 19:02:51 +0000 To: "Depp, Dennis M." <deppdm@ornl.gov>
IIS like any other web server can not be made secure! We limit the
weaknesses by proactive security management.
Depp, Dennis M. wrote:
>The fact that IIS can be made secure does not mean it should be
>installed on a domain controller. When IIS is installed on a Domain
>Controller the impact of a sucessful hack is much greater than when it
>is installed on a member server. If I compromise an IIS machine, I can
>gain access to all the user accounts stored on this machine. In the
>case of a Domain Controller, this gives me access to every account in
>the Domain. From here I have access to all the data stored on Windows
>machines in your network.
>
>If the machine that is compromised is a member IIS server the hacker
>will only have access to the local accounts and passwords. While they
>can still use this to attack the domain controllers, they will have some
>additional effort involved.
>
>While I can protect each IIS server equally well, the damage potential
>of the IIS server on a DC is much greater. This is why it is considered
>a best security practice not to place IIS on a DC.
>
>Dennis
>
>-----Original Message-----
>From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
>[mailto:sbradcpa@pacbell.net]
>Sent: Wednesday, January 19, 2005 1:55 AM
>To: Depp, Dennis M.
>Cc: Sullivan Tim P; focus-ms@securityfocus.com
>Subject: Re: IIS6 on W2k3 DCs
>
>Aren't we all missing something here as far as this discussion of
>additional protection and IIS in general?
>
>Didn't an IIS server survive OpenHackIV with IIS, SQL and IPsec? [IIS
>5 even]
>
>http://www.microsoft.com/technet/community/columns/secmgmt/sm0105.mspx
>http://www.microsoft.com/technet/community/columns/secmgmt/sm121504.mspx
>
>*Using IPsec for Network Protection. Part 1 of 2*
>Last month I introduced you to IPsec, a wonderful but sometimes
>bewildering bit of technology. Now that you understand what it is and
>how it works, this month I'd like to highlight IPSec's ability to help
>solve three common security problems.
>
>http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetse
>c/html/openhack.asp
>
>I know about it...but know that I need wizards to help me do it
>right..... but that's just me. I like wizards to help me do my job.
>Command lines that include "netsh ipsec static add filter" needs to be
>made easier IMHO.
>
>Susan
>
>
>Depp, Dennis M. wrote:
>
>
>---------------------------------------------------------------------------
>---------------------------------------------------------------------------
>
>
>
>
>
-- +44 870 167 3047 Fax +44 786 166 4532 Mobile Andrew Rice subscribed to the CESG Listed Advisor Scheme. "The information in this Internet e-mail is confidential and may be legally privileged. It is intended solely for the addressee. Access by any other person to this Internet e-mail is not authorised. If you are not the intended recipient, please delete this Internet e-mail. Any disclosure of this Internet e-mail or of the parties to it, any copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited, and may be unlawful. If you have received it in error please inform us at the_integrator@tesco.net as soon as possible.
- application/x-pkcs7-signature attachment: S/MIME Cryptographic Signature
- Previous message: Paul Aviles: "Dhcp security"
- In reply to: Depp, Dennis M.: "RE: IIS6 on W2k3 DCs"
- Next in thread: Devin Ganger: "RE: IIS6 on W2k3 DCs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
