RE: Active Directory and IIS on production servers, and clustering

From: Brady McClenon (BMcClenon_at_uamail.albany.edu)
Date: 09/27/05

  • Next message: Jim Stagg: "RE: Active Directory and IIS on production servers, and clusterin g"
    Date: Tue, 27 Sep 2005 13:35:24 -0400
    To: "Derick Anderson" <danderson@vikus.com>, "Focus-MS" <focus-ms@securityfocus.com>
    
    

    Derek,

    I agree with your points as to why not to put IIS on a DC. It sounds as
    if your boss isn't looking at security though. If he's only looking at
    cost and performance I'd have to ask why the 2nd domain? Is it a
    separate forest? With a two-way transitive trust between domains in a
    forest there's no security boundary there. Tell him to scrap the 2nd
    domain and let you have those two servers for IIS.

    Also, while the Windows Server 2003 Security Guide doesn't say "Never
    ever have your production IIS servers be domain controllers" you could
    look at the IIS section and conclude since the IPSec policy they say you
    should apply to an IIS server would stop a DC from correctly
    functioning, that a DC should not be an IIS server.

    Brady

    -----Original Message-----
    From: Derick Anderson [mailto:danderson@vikus.com]
    Sent: Monday, September 26, 2005 2:02 PM
    To: Focus-MS
    Subject: Active Directory and IIS on production servers, and clustering

    The company I work for (as the only systems administrator) is
    considering a new implementation of their web-based software. To support
    this we will be splitting our single domain into two domains, one for
    production servers and one for employee support (file servers and
    employee workstations). We'll be using at least two IIS servers as a
    front-end to a custom-built service in the production domain.
     
    We are a fairly small company and my CIO does not believe we should
    invest money in two dedicated domain controllers for the production
    domain. He thinks that because Active Directory is not resource
    intensive that it wouldn't be a problem to make the IIS servers domain
    controllers. (The back-end servers, except for SQL Server 2000, would
    not require Windows Server 2003.) I disagree completely, for several
    reasons that I thought were obvious:

    1. Separation of roles is essential to security as well as reliability.
    2. Highly sensitive services such as internal DNS and Active Directory
    should never reside on a publicly accessible server.
    3. In general, web applications are the biggest attack surface of any
    organization in terms of threat volume and relative ease of
    exploitation.

    I'd appreciate any thoughts on this as I am fighting to follow best
    practices in our server environments. I've been reading the Windows
    Server 2003 Security Guide which unfortunately lacks the "Never ever
    have your production IIS servers be domain controllers" statement but
    implies Reasons #1 and #2 with its approach to server hardening.

    My second question has to do with clustering: we plan to eventually
    cluster the IIS servers. What impact does that have on Active Directory
    services?

    Thanks,

    Derick Anderson

    ------------------------------------------------------------------------

    ---
    ------------------------------------------------------------------------
    ---
    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    

  • Next message: Jim Stagg: "RE: Active Directory and IIS on production servers, and clusterin g"

    Relevant Pages

    • RE: Active Directory and IIS on production servers, and clustering
      ... > and clustering ... > I agree with your points as to why not to put IIS on a DC. ... > domain and let you have those two servers for IIS. ... Unfortunately our production software is so complex that it requires ...
      (Focus-Microsoft)
    • Re: [Full-Disclosure] New malware to infect IIS and from there jump to clients
      ... Microsoft products are inherently secure. ... anti-Microsoft attempt to discredit their security commitments by people ... > Reports indicate that Web servers running Windows 2000 Server and IIS ...
      (Full-Disclosure)
    • Re: Microsoft Security Advisory MS 03-007
      ... > You say "IIS servers are actively being compromised already, ... -- permissions are checked on httpext.dll to see if Anonymous request using ... CONFIGURATIONS OF THE IIS LOCKDOWN TOOL DO LEAVE WEBDAV ...
      (Focus-Microsoft)
    • RE: Microsoft Security Advisory MS 03-007
      ... announcement covers IIS 5.1 but not IIS 6, ... > You say "IIS servers are actively being compromised already, ... -- permissions are checked on httpext.dll to see if Anonymous request ... CONFIGURATIONS OF THE IIS LOCKDOWN TOOL DO LEAVE WEBDAV ...
      (Bugtraq)
    • Re: ASP.NET 1.1/ASP.NET 2.0 and IIS5
      ... on IIS 5, asp.net appdomains are hosted by a seperate application. ... Currently we are running ASP.NET 1.1 in production with over 30+ 1.1 ... Recently we have written several applications using ... of our servers from the farm. ...
      (microsoft.public.dotnet.framework.aspnet)