Re: Installing IIS on a domain controller.

If you are going to be using that domain *exclusively* to host a single server - your IIS server, then... sure! why not :-) Despite what others say, this is not at all a bad idea to to the absence of the SAM (again on condition the domain has only one member - IIS).

However this applies only if you have a single computer in the domain. If you were to add the SQL server to the domain, then we're back to the "do not recommend". Remember that once your IIS is compromised, it's possible for the attacker to gain "SYSTEM" privileges on the DC. At that point, it really doesn't matter how you secured the access between the SQL Server and the DC running IIS. Once the malicious attacker has SYSTEM rights, they can pretty much do anything to bypass your security on the domain and gain easy access to your SQL Server. That SQL Server should then still be installed on a separate domain (or standalone).

--
Roberto Franceschetti
LogSat Software
http://www.logsat.com

Jonny Bergdahl wrote:

I have seen numerous recommendations that says that it is a no-no to run IIS on a domain controller. What I haven't seen is any solid/sound reasons for that?

On non-domain controller server, the passwords are stored in the local SAM file, a file numerous different hacking tools knows how to decode and edit. On domain controllers on the other hand, the passwords are stored in the AD, and I am not aware of a single tool for decode or edit of the AD file.

This leads me to the simple conclusion that it is indeed a good idea to promote the web server to a domain controller just for the added password protection. As a clarification, I don't suggest adding the web server to an existing domain (or worse, the internal), but instead create a new domain just for the web server.

Also, say you have a web application consisting of two separate servers, one running IIS and the other SQL Server. Both machines is set up as domain controllers for the reason given above. In this case it is possible to only give SQL logon to the IIS server COMPUTER ACCOUNT, an account with a password that is managed by the domain controller, which also changes the password on a regular basis. In my view this is a very much more secure environment than running the same system without domain accounts.

Does anybody has any objections or opinions on this?

Regards;
/jb


.

Relevant Pages

  • Re: Authentication problems when DC is down
    ... We had only 1 SQL server fail when this DC went down and the DNS configuration is wrong on this SQL box. ... have narrowed this down specifically do the domain controller holding ...
    (microsoft.public.windows.server.active_directory)
  • Re: IISlockdown doesnt allow asp !!!
    ... You IIS server is a DC right? ... > It's bcos i can't access the "Domain Controller Security Policy", ... go to your Domain Controller Security policy. ...
    (microsoft.public.inetserver.iis.security)
  • [NT] Heap Overrun in HTR Chunked Encoding Could Enable Web Server Compromise
    ... This patch eliminates a newly discovered vulnerability affecting Internet ... in IIS 4.0 and 5.0, and could likewise be used to overrun heap memory on ... allowing code to be run on the server. ... * Microsoft has long recommended disabling HTR functionality unless there ...
    (Securiteam)
  • RE: Question on NTLM authentication.
    ... Domain controllers don't store user passwords by default. ... machines through IIS, even if it is running on a domain controller. ... to a remote machine than the NTLM hash that a normal IIS member server ...
    (microsoft.public.inetserver.iis.security)
  • Re: Problem with connect computer wizard
    ... Make sure the Windows XP client is pointing to the SBS 2003 server as ... Please collect the IIS metabase and the latest IIS log files further ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)