RE: Active Directory and IIS on production servers, and clustering
From: Derick Anderson (danderson_at_vikus.com)
Date: 09/27/05
- Previous message: Benjamin B. Williams: "Office 2003 SP2?"
- Maybe in reply to: Derick Anderson: "Active Directory and IIS on production servers, and clustering"
- Next in thread: Susan Bradley: "Re: Active Directory and IIS on production servers, and clustering"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 27 Sep 2005 13:55:09 -0400 To: "Focus-MS" <focus-ms@securityfocus.com>
> -----Original Message-----
> From: Brady McClenon [mailto:BMcClenon@uamail.albany.edu]
> Sent: Tuesday, September 27, 2005 1:35 PM
> To: Derick Anderson; Focus-MS
> Subject: RE: Active Directory and IIS on production servers,
> and clustering
>
> Derek,
>
> I agree with your points as to why not to put IIS on a DC.
> It sounds as if your boss isn't looking at security though.
> If he's only looking at cost and performance I'd have to ask
> why the 2nd domain? Is it a separate forest? With a two-way
> transitive trust between domains in a
> forest there's no security boundary there. Tell him to scrap the 2nd
> domain and let you have those two servers for IIS.
>
> Also, while the Windows Server 2003 Security Guide doesn't
> say "Never ever have your production IIS servers be domain
> controllers" you could look at the IIS section and conclude
> since the IPSec policy they say you should apply to an IIS
> server would stop a DC from correctly functioning, that a DC
> should not be an IIS server.
>
> Brady
>
Unfortunately our production software is so complex that it requires
domain features, and if you look in the archives back a month you'll see
a long-winded discussion on password policies in Active Directory that I
started. There can only be one password policy per domain (sans 3rd
party software), and I'm making up for short 8-character passwords with
aggressive lockout policies (required by our SAS70 auditors). Of course
our production software (and SQL Server) run using domain accounts, so
they can easily be DoSed by attempting to log in using those accounts.
Our second domain will be a separate forest with no trusts, separated by
a firewall. I've been itching to implement the 2003 security guide but
I'm fearful of what might break if I do - I've discovered many
dependencies of our production environment by attempting to secure it.
Fortunately I've just talked with my CIO and he's agreed to get the
dedicated servers.
Thanks for your response,
Derick Anderson
> -----Original Message-----
> From: Derick Anderson [mailto:danderson@vikus.com]
> Sent: Monday, September 26, 2005 2:02 PM
> To: Focus-MS
> Subject: Active Directory and IIS on production servers, and
> clustering
>
> The company I work for (as the only systems administrator) is
> considering a new implementation of their web-based software.
> To support this we will be splitting our single domain into
> two domains, one for production servers and one for employee
> support (file servers and employee workstations). We'll be
> using at least two IIS servers as a front-end to a
> custom-built service in the production domain.
>
> We are a fairly small company and my CIO does not believe we
> should invest money in two dedicated domain controllers for
> the production domain. He thinks that because Active
> Directory is not resource intensive that it wouldn't be a
> problem to make the IIS servers domain controllers. (The
> back-end servers, except for SQL Server 2000, would not
> require Windows Server 2003.) I disagree completely, for
> several reasons that I thought were obvious:
>
> 1. Separation of roles is essential to security as well as
> reliability.
> 2. Highly sensitive services such as internal DNS and Active
> Directory should never reside on a publicly accessible server.
> 3. In general, web applications are the biggest attack
> surface of any organization in terms of threat volume and
> relative ease of exploitation.
>
> I'd appreciate any thoughts on this as I am fighting to
> follow best practices in our server environments. I've been
> reading the Windows Server 2003 Security Guide which
> unfortunately lacks the "Never ever have your production IIS
> servers be domain controllers" statement but implies Reasons
> #1 and #2 with its approach to server hardening.
>
> My second question has to do with clustering: we plan to
> eventually cluster the IIS servers. What impact does that
> have on Active Directory services?
>
> Thanks,
>
> Derick Anderson
>
> --------------------------------------------------------------
> ----------
> ---
> --------------------------------------------------------------
> ----------
> ---
>
>
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Benjamin B. Williams: "Office 2003 SP2?"
- Maybe in reply to: Derick Anderson: "Active Directory and IIS on production servers, and clustering"
- Next in thread: Susan Bradley: "Re: Active Directory and IIS on production servers, and clustering"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
