Re: IIS security on Domain
From: karl x y (jamescagney90210@excite.com)
Date: 07/18/02
- Next message: Monique Lefebvre: "W32.Klez.gen@mm"
- Previous message: karl x y: "Re: Scripting removal of app mappings."
- In reply to: Brian Clark: "IIS security on Domain"
- Next in thread: James Howard: "RE: IIS security on Domain"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "karl x y" <jamescagney90210@excite.com> Date: Wed, 17 Jul 2002 21:38:41 -0400
Best security is to keep the server standalone, unless you have good reason
to join it to a domain and are willing to accept the additional risk or take
steps to mitigate it through system architecture [usually additional
servers]. It's better to join it to a domain that is not your regular
production domain for windows users, but again this choice is up to your
needs and your willingness to accept or manage risk.
A common reason for wanting to add a web server to a domain is if you have a
large domain of windows users that also need access to your web server from
the internet, and you feel it is too complicated to copy users from your
domain to your web server. If you don't add it to a domain, another choice
is to set up users as local Windows accounts on the web server, and you can
use Windows 2000 resourse kit utilities [among other methods] to export user
accounts from the windows domain to a plain text file and then into the web
server as a one-time or occasional migration, though passwords will not stay
in sync. Different passwordson the web server and windows domain is not a
bad thing for security, but could be a bad thing for users that have to
remember the passwords and administrators that have to take calls to reset
passwords.
If your purpose for joining the web server to the domain is just to
facilitate file copies, this is not necessary. Instead, simply determine
the login ID on the domain used for copying files, and set up an identical
ID and password as a local account on the web server.
In either case, if IDs and passwords are flowing across the internet to
authenticate to your web server, you probably want an SSL certificate with
basic authentication. You can manufacture your own certificates using the
microsoft makecert utility, but it is probably easier to buy one from a
place like entrust.net, which costs $120/year per FQDN server name being
protected.
"Brian Clark" <brian_w_clark@etiwanda.k12.ca.us> wrote in message
news:OOKIMFaLCHA.2588@tkmsftngp09...
> I am an administrator at a small school district. We run running NT4 on
> domain controllers. I need to set up a IIS Win2k web server behind a
> firewall so that parents can access student information. Am I asking for
> trouble by adding this web server as a member server to the domain? Should
> this be a stand alone server with local admin accounts that mirror domain
> accounts for file replication? Data needs to copied to this web server
> nightly from file servers on the domain.
>
> Any help would be appreciated.
> Brian
>
>
- Next message: Monique Lefebvre: "W32.Klez.gen@mm"
- Previous message: karl x y: "Re: Scripting removal of app mappings."
- In reply to: Brian Clark: "IIS security on Domain"
- Next in thread: James Howard: "RE: IIS security on Domain"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
