Re: IIS security on Domain

From: karl x y (
Date: 07/18/02

From: "karl x y" <>
Date: Wed, 17 Jul 2002 21:38:41 -0400

Best security is to keep the server standalone, unless you have good reason
to join it to a domain and are willing to accept the additional risk or take
steps to mitigate it through system architecture [usually additional
servers]. It's better to join it to a domain that is not your regular
production domain for windows users, but again this choice is up to your
needs and your willingness to accept or manage risk.

A common reason for wanting to add a web server to a domain is if you have a
large domain of windows users that also need access to your web server from
the internet, and you feel it is too complicated to copy users from your
domain to your web server. If you don't add it to a domain, another choice
is to set up users as local Windows accounts on the web server, and you can
use Windows 2000 resourse kit utilities [among other methods] to export user
accounts from the windows domain to a plain text file and then into the web
server as a one-time or occasional migration, though passwords will not stay
in sync. Different passwordson the web server and windows domain is not a
bad thing for security, but could be a bad thing for users that have to
remember the passwords and administrators that have to take calls to reset

If your purpose for joining the web server to the domain is just to
facilitate file copies, this is not necessary. Instead, simply determine
the login ID on the domain used for copying files, and set up an identical
ID and password as a local account on the web server.

In either case, if IDs and passwords are flowing across the internet to
authenticate to your web server, you probably want an SSL certificate with
basic authentication. You can manufacture your own certificates using the
microsoft makecert utility, but it is probably easier to buy one from a
place like, which costs $120/year per FQDN server name being

"Brian Clark" <> wrote in message
> I am an administrator at a small school district. We run running NT4 on
> domain controllers. I need to set up a IIS Win2k web server behind a
> firewall so that parents can access student information. Am I asking for
> trouble by adding this web server as a member server to the domain? Should
> this be a stand alone server with local admin accounts that mirror domain
> accounts for file replication? Data needs to copied to this web server
> nightly from file servers on the domain.
> Any help would be appreciated.
> Brian

Relevant Pages

  • Re: Capturing Windows Login Name
    ... annoyance of typing their user names and passwords again. ... that among other protocols supports NTLM. ... server in the last step, ... a site under the same Windows controller domain, ...
  • Re: server authentication & ASP authentication
    ... The SQL Server and web server are on the same machine (Windows 2000). ... Use windows instead of standard authentication on SQL Server. ...
  • Re: Run BAT (or other file) on remotely on server
    ... You haven't told us what OS or web server you're using, ... guessing Windows and IIS. ... Why have to manually trigger regular jobs? ...
  • RE: Rights issues with renamed server
    ... passwords, please refer to: ... Windows ... The Netdom tool is in the Support Tool of Windows server, ... computer and send me the .cab file for analyze. ...
  • Re: 401.2 Error
    ... logged on the web server but when the user tries to logon ... >Does that mean you are expecting a password prompt? ... >> The web server is publicly available although he has the ... He is using Windows XP ...