Re: SUS question
From: Andrew Davis [MS] (adavis_at_online.microsoft.com)
Date: 12/17/03
- Next message: Andrew Davis [MS]: "RE: restrict by browser type"
- Previous message: Andrew Davis [MS]: "RE: Best security practices for IIS6/2203"
- In reply to: Karl Levinson [x y] mvp: "Re: SUS question"
- Next in thread: Jeff Cochran: "Re: SUS question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 17 Dec 2003 15:37:58 GMT
Karl, you are right on!
It's a combination of security and performance reasons. Installing SUS
disables features for security reasons that will affect most IIS
application.
322365 Server Requirements and Recommendations for Installing Microsoft
http://support.microsoft.com/?id=322365
Microsoft recommends that the IIS server host only SUS. Although this is
not a requirement, it is a good idea because installing SUS locks down your
IIS server by installing URLScan. The WebDAV, Internet Printing, and
Indexing service features of IIS are turned off. Also, the session state is
disabled by SUS. When the session state is disabled, ASP cannot create a
session for each user who accesses an ASP program, and ASP scripts cannot
store information in the Session object or use the Session_OnStart or
Session_OnEnd events.
This posting is provided "AS IS" with no warranties, and confers no rights.
Thanks!
~Andrew Davis
Microsoft PSS Security
--------------------
| From: "Karl Levinson [x y] mvp" <levinson_k@despammed.com>
| References: <OeVLHX$wDHA.2708@TK2MSFTNGP09.phx.gbl>
| Subject: Re: SUS question
| Date: Tue, 16 Dec 2003 12:39:17 -0500
| Lines: 26
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| Message-ID: <eIz#Iu$wDHA.1088@tk2msftngp13.phx.gbl>
| Newsgroups: microsoft.public.inetserver.iis.security
| NNTP-Posting-Host: 65.202.253.132
| Path:
cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGXS01.phx.gbl!TK2MSFTNGXA0
5.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
| Xref: cpmsftngxa07.phx.gbl microsoft.public.inetserver.iis.security:7926
| X-Tomcat-NG: microsoft.public.inetserver.iis.security
|
| I would imagine it might be for security reasons. Installing IIS onto
| servers with other functions is generally to be avoided. SUS is fairly
| secure when the IISLockdown and URLScan installer run, but if you have to
| uninstall and reinstall IIS for any reason [for example, to fix a
problem],
| it appears to me that IISLockdown does not run again automatically even if
| you re-run the SUS install, and you get some insecure default settings
| unless you manually run IISLockdown. [And if you re-run IIS Lockdown
| manually, you get some problems that you have to manually figure out how
to
| fix, such as permitting .EXE file downloads via the URLSCAN.INI file.]
|
|
| "Dave" <dave@wellesley13.freeserve.co.uk> wrote in message
| news:OeVLHX$wDHA.2708@TK2MSFTNGP09.phx.gbl...
| > This seems the best NG for my question so here goes.
| > MS recommend installing SUS on a dedicated server. Does anyone know why
| > this is ? I appreciate the web server is heavily locked down when
| > installing SUS and can see why you wouldn't want to run other web sites
on
| > the same box. But, why would SUS affect other services, say DHCP ?
| > I may have to install SUS ona box running DHCP, RAS and WINS. The load
is
| > very light. Can anyone explain why this is a bad idea ?
| >
| > Dave
| >
| >
|
|
|
- Next message: Andrew Davis [MS]: "RE: restrict by browser type"
- Previous message: Andrew Davis [MS]: "RE: Best security practices for IIS6/2203"
- In reply to: Karl Levinson [x y] mvp: "Re: SUS question"
- Next in thread: Jeff Cochran: "Re: SUS question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
