RE: Active Directory and IIS on production servers, and clusterin g

From: Jim Stagg (jstagg_at_sprich.com)
Date: 09/27/05


To: Focus-MS <focus-ms@securityfocus.com>
Date: Tue, 27 Sep 2005 14:26:09 -0400

We're on the verge of an AD migration from an NT4-controlled domain, so I'm
no AD expert. But, I can speak to part of the issue. We have a web app built
on IIS with an MSSQL backend for authentication and client state.

Our design has always been that public bastion hosts are NOT domain
members... ever. Our MS Services guy blessed that as the Microsoft-supported
position (DB in the secured network with minimal access from the DMZ-based
IIS server, which in turn has only minimal access allowed from a
less-trusted network). Microsoft also specifically advises against a private
namespace being accessible from a public network.

In 2000, IIS is installed automatically when you select "domain controller."
That's no longer the case in 2003. There's a really good reason for that,
and I believe it's even mentioned here:

Best Practice Guide for Securing Active Directory Installations
http://www.microsoft.com/downloads/details.aspx?FamilyID=4e734065-3f18-488a-
be1e-f03390ec5f91&DisplayLang=en

...which includes:

Note
In contrast to Windows 2000 Server installation, Internet Information
Services (IIS) is not installed by default in Windows Server 2003
installation. IIS is not required on a domain controller, and eliminating
IIS reduces the attack surface on the domain controller.

--
Jim Stagg, Systems Administrator, S.P. Richards Co., 
770-803-5724 or jstagg@sprich.com,
6300 Highlands Pkwy., Smyrna GA 30081 
 
> -----Original Message-----
> From: Derick Anderson [mailto:danderson@vikus.com] 
> Sent: Monday, September 26, 2005 2:02 PM
> To: Focus-MS
> Subject: Active Directory and IIS on production servers, and 
> clustering
> 
> The company I work for (as the only systems administrator) is 
> considering a new implementation of their web-based software. 
> To support this we will be splitting our single domain into 
> two domains, one for production servers and one for employee 
> support (file servers and employee workstations). We'll be 
> using at least two IIS servers as a front-end to a 
> custom-built service in the production domain.
>  
> We are a fairly small company and my CIO does not believe we 
> should invest money in two dedicated domain controllers for 
> the production domain. He thinks that because Active 
> Directory is not resource intensive that it wouldn't be a 
> problem to make the IIS servers domain controllers. (The 
> back-end servers, except for SQL Server 2000, would not 
> require Windows Server 2003.) I disagree completely, for 
> several reasons that I thought were obvious:
> 
> 1. Separation of roles is essential to security as well as 
> reliability.
> 2. Highly sensitive services such as internal DNS and Active 
> Directory should never reside on a publicly accessible server.
> 3. In general, web applications are the biggest attack 
> surface of any organization in terms of threat volume and 
> relative ease of exploitation.
> 
> I'd appreciate any thoughts on this as I am fighting to 
> follow best practices in our server environments. I've been 
> reading the Windows Server 2003 Security Guide which 
> unfortunately lacks the "Never ever have your production IIS 
> servers be domain controllers" statement but implies Reasons 
> #1 and #2 with its approach to server hardening.
> 
> My second question has to do with clustering: we plan to 
> eventually cluster the IIS servers. What impact does that 
> have on Active Directory services?
> 
> Thanks,
> 
> Derick Anderson
> 
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> -------------
> 
---------------------------------------------------------------------------
---------------------------------------------------------------------------


Relevant Pages

  • Re: IISlockdown doesnt allow asp !!!
    ... You IIS server is a DC right? ... > It's bcos i can't access the "Domain Controller Security Policy", ... go to your Domain Controller Security policy. ...
    (microsoft.public.inetserver.iis.security)
  • [NT] Heap Overrun in HTR Chunked Encoding Could Enable Web Server Compromise
    ... This patch eliminates a newly discovered vulnerability affecting Internet ... in IIS 4.0 and 5.0, and could likewise be used to overrun heap memory on ... allowing code to be run on the server. ... * Microsoft has long recommended disabling HTR functionality unless there ...
    (Securiteam)
  • RE: Question on NTLM authentication.
    ... Domain controllers don't store user passwords by default. ... machines through IIS, even if it is running on a domain controller. ... to a remote machine than the NTLM hash that a normal IIS member server ...
    (microsoft.public.inetserver.iis.security)
  • Re: Problem with connect computer wizard
    ... Make sure the Windows XP client is pointing to the SBS 2003 server as ... Please collect the IIS metabase and the latest IIS log files further ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • Re: IIS6 on W2k3 DCs
    ... Didn't an IIS server survive OpenHackIV with IIS, ... In the case of a web server, ... >>Your box is your domain controller, and its your exchange server, so it ...
    (Focus-Microsoft)