Re: Looking for feedback on public website security config

I probably should not reply as you ask for someone to tell
you they think you are wrong in seeing this as a bad idea.

Although it can be done safely many of us (MVP types)
will immediately say that a DC should be a DC only, that
it should not run an application server (ie. IIS).

Let's assume that your network config is without mistake
and so only tcp 80/443 could route to the box from outside,
and further let us assume that you have the ability to config
the machine with all of the OS level hardening best practices
(which is not trivial with a DC). Even with those you are
still placing (by what you have said) your entire internal
network at risk due to the potential for exploit of their web
application and its use of SQL. From what I heard, that
application level exposure is not within your ability to
control, so you would be saying that you trust their quality
as that could be all that protects your internal network.

Can you configure their machine so that it is isolated
rather than able to contact other internal machines?

Roger


"driley" <driley@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:B8346983-9A1C-481C-A834-7F31BF9E5A83@xxxxxxxxxxxxxxxx
In my work environment we have a vendor provided solution running on our
internal network. The solution is in its own domain and there are no trust
relationships to our domain.

The vendor has a web application that they want to publish on the internet
for a limited number of users. The web application uses IIS and is
installed
on their domain controller, which also hosts their application. Some of
our
confidential customer information is stored on this system.

The vendor is trying to tell us that all we need to do to make this system
secure is to install an SSL certificate and open up 80 and 443 on the
firewall. The system sits inside our network and is not in a DMZ or
otherwise
isolated from other internal systems.

The domain controller is not hardened in any way and is running IIS and
SQL.
Basically they want to make a domain controller into a web server and they
are saying that an SSL certificate will make this a secure solution.

Someone tell me if I am wrong in thinking that this sound like a bad idea.



.

Relevant Pages

  • Re: Looking for feedback on public website security config
    ... Let's assume that your network config is without mistake ... The vendor has a web application that they want to publish on the internet ... on their domain controller, ...
    (microsoft.public.security)
  • Re: IIS OK from public IP but refusing requests from internal network
    ... This would be a network configuration problem, not IIS issue. ... Please check on the IIS server if you have a website that is listening ... My hardware firewall routes port 80 traffic from internet to the IIS Server ...
    (microsoft.public.inetserver.iis.security)
  • Re: Slow authentication on remote network
    ... Ethereal to trace the network traffic and see what DC's your IIS servers are ... >I have 3 IIS servers on a remote subnet with one 2003 domain controller. ... > Now the IIS servers have a tough time authenticating with Active ...
    (microsoft.public.windows.server.active_directory)
  • Domain controller question
    ... I have set up one 2003 windows Server with AD on my network. ... coming to my site and being sent out one router to the internet. ... I have only this one domain controller running in my entire network. ...
    (microsoft.public.windows.server.networking)
  • Re: certificate problem
    ... Now I have 2 different certificates (one named servername.mydonmain.com and one named publishing.mydomain.com (which is configured in IIS on the default website). ... It works perfectly from the internal as well from the external network. ... But when I want to use outlook via the internet I have to deselect "On fast networks, connect using HTTP first, then connect using TCP/IP" ...
    (microsoft.public.windows.server.sbs)
Loading