RE: Active Directory and IIS on production servers, and clusterin g

From: Jim Stagg (jstagg_at_sprich.com)
Date: 10/31/05

  • Next message: Thor (Hammer of God): "Re: Active Directory and IIS on production servers, and clustering"
    To: 'Focus-MS' <focus-ms@securityfocus.com>
    Date: Mon, 31 Oct 2005 08:42:21 -0500
    
    

    > Sorry about chiming in very late - I don't check this list
    > often. There's a couple of things to think about here - first
    > is that there's always exceptions. For example, if there are
    > more than two or three systems in the DMZ, it makes sense to
    > have a DMZ domain just in order to be able to easily push
    > policy and manage accounts. I'd suggest doing some serious
    > hardening on the DC, but the drawbacks of not having the
    > management outweigh the drawbacks of having a domain. So I
    > disagree - unless the DMZ is trivially small, I'd recommend
    > making them domain members, just not members of the internal domain.

    Actually, that's a really good logistical point, and it's not one I meant to
    dismiss entirely. DMZ domain isn't necessarily a bad idea, depending on how
    you expect those hosts to interact. There may be other ways to get the same
    basic effect (synchronized accounts/passwords on the DMZ systems, consistent
    security policy application). But, depending on the way the application uses
    it's authentication bits, it may make sense to consider a DMZ domain. There
    are performance advantages to having them in a common Kerberos realm (2000
    or better, of course).

    In our case, we've made the decision that bastion hosts aren't members of
    any domain. But, our Windows DMZ systems can be counted on one hand, and
    that does have a big impact on our decision to leave them. We had, in past
    discussions, considered a DMZ domain. As always, YMMV.

    --
    Jim Stagg, Systems Administrator, S.P. Richards Co., 
    770-803-5724 or jstagg@sprich.com,
    6300 Highlands Pkwy., Smyrna GA 30081 
     
    > -----Original Message-----
    > From: David LeBlanc [mailto:dleblanc@mindspring.com] 
    > Sent: Sunday, October 30, 2005 6:21 PM
    > To: Jim Stagg; 'Focus-MS'
    > Subject: RE: Active Directory and IIS on production servers, 
    > and clustering
    > 
    >  
    > 
    > > -----Original Message-----
    > > From: Jim Stagg [mailto:jstagg@sprich.com]
    >  
    > > Our design has always been that public bastion hosts are NOT domain 
    > > members... ever. Our MS Services guy blessed that as the 
    > > Microsoft-supported position (DB in the secured network 
    > with minimal 
    > > access from the DMZ-based IIS server, which in turn has 
    > only minimal 
    > > access allowed from a less-trusted network). Microsoft also 
    > > specifically advises against a private namespace being 
    > accessible from 
    > > a public network.
    > 
    > Sorry about chiming in very late - I don't check this list 
    > often. There's a couple of things to think about here - first 
    > is that there's always exceptions. For example, if there are 
    > more than two or three systems in the DMZ, it makes sense to 
    > have a DMZ domain just in order to be able to easily push 
    > policy and manage accounts. I'd suggest doing some serious 
    > hardening on the DC, but the drawbacks of not having the 
    > management outweigh the drawbacks of having a domain. So I 
    > disagree - unless the DMZ is trivially small, I'd recommend 
    > making them domain members, just not members of the internal domain.
    > 
    > Next, consider the possibility of trusts to the internal 
    > domain. In most cases, unless there is some pressing business 
    > need to make a trust, I would _not_ establish a trust between 
    > the DMZ domain and the internal domain, but if I did, I'd 
    > make sure and use Win2k3 DCs and make it a limited trust.
    > Additionally, if I had to create a trust out into the DMZ, 
    > I'd strongly consider making 2 DMZs so that I could watch the 
    > one with the trust very, very carefully.
    > 
    > WRT putting IIS and a DC together, back in IIS 5.0 days, yes, 
    > that was a Very Bad Idea. IIS 6, OTOH, has been quite secure, 
    > and I'd say there's limited risk to pairing them. I would not 
    > under any circumstances make a publicly exposed IIS system a 
    > DC, but on my home network, I run IIS on my DC so I can run 
    > WSUS - so all this depends on the business case and the size 
    > of the network.
    > 
    > We security people often get ourselves in trouble by tending 
    > towards absolutes and failing to consider the business case. 
    > 
    > --------------------------------------------------------------
    > ---------
    > Insisting on perfect safety is for people who don't have the 
    > balls to live in the real world. Mary Shafer
    > 
    > David LeBlanc - dleblanc(at)mindspring.com
    > 
    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    

  • Next message: Thor (Hammer of God): "Re: Active Directory and IIS on production servers, and clustering"

    Relevant Pages

    • RE: Active Directory and IIS on production servers, and clustering
      ... > the Microsoft-supported position (DB in the secured network ... DMZ, it makes sense to have a DMZ domain just in order to be able to easily ... cases, unless there is some pressing business need to make a trust, I would ... WRT putting IIS and a DC together, back in IIS 5.0 days, yes, that was a ...
      (Focus-Microsoft)
    • Re: Where to put the server
      ... I did end up placing the 2003 IIS box in the DMZ. ... > Put the 2003 IIS Server in the DMZ. ... > SBS box or another LAN server. ...
      (microsoft.public.backoffice.smallbiz2000)
    • Re: IIS/DC on DMZ?
      ... Having a DC and IIS box ... DMZ and use your firewall to NAT the connections and only ... >>computers and DB server on internal network? ...
      (microsoft.public.inetserver.iis.security)
    • Re: Access DB through a DMZ
      ... >> I have an IIS server sat in a DMZ and I want it to be able to access an ... > LAN to the DMZ without allowing anything from the DMZ to the LAN, ... > Since you running IIS, why not create a page that lets you query the ... I can do it by sitting the DB on the IIS server in the DMZ as my LAN users ...
      (comp.security.firewalls)
    • Re: Forest Trust between Production & DMZ
      ... >> more vulnerable, external, then we are speaking of the trust ... If your DMZ gets whacked, ... To avoid the Swiss-cheese affect on the firewall, ... > Network segregation was a good thing at times when Internet Protocol was ...
      (microsoft.public.windows.server.security)