RE: Active Directory and IIS on production servers, and clustering
From: Derick Anderson (danderson_at_vikus.com)
Date: 09/27/05
- Previous message: Derick Anderson: "Active Directory and IIS on production servers, and clustering"
- Maybe in reply to: Derick Anderson: "Active Directory and IIS on production servers, and clustering"
- Next in thread: Derick Anderson: "RE: Active Directory and IIS on production servers, and clustering"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 27 Sep 2005 14:22:31 -0400 To: "Susan Bradley" <sbradcpa@pacbell.net>, "Focus-MS" <focus-ms@securityfocus.com>
Inline...
> -----Original Message-----
> From: Susan Bradley [mailto:sbradcpa@pacbell.net]
> Sent: Tuesday, September 27, 2005 1:48 PM
> To: Derick Anderson
> Cc: Focus-MS
> Subject: Re: Active Directory and IIS on production servers,
> and clustering
>
> Define 'small company'?
We've got 22 employees and 11 Windows-based servers (we also have a
Linux firewall and four Linux servers). Of the Windows servers, 7 are
absolutely essential to our production environment. We've just passed a
SAS70 type-II audit (somehow).
> In the IIS 5 days there would be no question, no hesitation
> whatsoever in the answer. IIS 6 has proven itself to be way
> more robust and thus I personally have a hesitation is
> blindly saying "it's a best practice you know...."
>
> Maybe it's just my wacko thinking but I'd look at the overall
> network vulnerability profile [workstations/servers etc] and
> try to get everyone on 2k3 and xp sp2 if you didn't already
> have them on that platform, killing off Local admin, more
> control, etc etc..
>
> Have you done a Network threat model [the whole data flow
> diagram] thing?
I've been working on this but we are still in the small-business mindset
where we don't move forward until current resources are exhausted
(including old Windows licenses). Fortunately we've got everything
running at least Windows 2000 and our older computers are breaking.
I haven't started with a Network threat model as I've been concentrating
on the general hardening of our servers and workstations.
> Also you say "web applications are the biggest attack
> surface"... one could argue that should be modified by saying
> "crappy web apps are the biggest...."
>
> I'm assuming that this web app has been reviewed for secure
> coding guidelines and best practices as well?
The application has not been reviewed for anything and I'm hoping to
push that once I take care of securing the network environment. At this
point (for me) it's an unknown.
> Derick Anderson wrote:
>
> >The company I work for (as the only systems administrator) is
> >considering a new implementation of their web-based software. To
> >support this we will be splitting our single domain into two
> domains,
> >one for production servers and one for employee support
> (file servers
> >and employee workstations). We'll be using at least two IIS
> servers as
> >a front-end to a custom-built service in the production domain.
> >
> >We are a fairly small company and my CIO does not believe we should
> >invest money in two dedicated domain controllers for the production
> >domain. He thinks that because Active Directory is not resource
> >intensive that it wouldn't be a problem to make the IIS
> servers domain
> >controllers. (The back-end servers, except for SQL Server
> 2000, would
> >not require Windows Server 2003.) I disagree completely, for several
> >reasons that I thought were obvious:
> >
> >1. Separation of roles is essential to security as well as
> reliability.
> >2. Highly sensitive services such as internal DNS and Active
> Directory
> >should never reside on a publicly accessible server.
> >3. In general, web applications are the biggest attack
> surface of any
> >organization in terms of threat volume and relative ease of
> >exploitation.
> >
> >I'd appreciate any thoughts on this as I am fighting to follow best
> >practices in our server environments. I've been reading the Windows
> >Server 2003 Security Guide which unfortunately lacks the "Never ever
> >have your production IIS servers be domain controllers"
> statement but
> >implies Reasons #1 and #2 with its approach to server hardening.
> >
> >My second question has to do with clustering: we plan to eventually
> >cluster the IIS servers. What impact does that have on
> Active Directory
> >services?
> >
> >Thanks,
> >
> >Derick Anderson
> >
Derick Anderson
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Derick Anderson: "Active Directory and IIS on production servers, and clustering"
- Maybe in reply to: Derick Anderson: "Active Directory and IIS on production servers, and clustering"
- Next in thread: Derick Anderson: "RE: Active Directory and IIS on production servers, and clustering"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
