Re: Public facing IIS/MSSQL servers in AD?

From: Eric Chamberlain (eric.chamberlain_at_newsgroups.nospam)
Date: 05/18/04

• Next message: Roger Abell: "Re: Public facing IIS/MSSQL servers in AD?"
• Previous message: Jonathan Maltz [MS-MVP]: "Re: Can users that reboot a server be tracked?"
• In reply to: Tim Net: "Public facing IIS/MSSQL servers in AD?"
• Next in thread: Roger Abell: "Re: Public facing IIS/MSSQL servers in AD?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 17 May 2004 19:52:15 -0700

"Tim Net" <ads@cfapostle.com> wrote in message
news:uNbYh%23APEHA.2256@TK2MSFTNGP10.phx.gbl...
> The topic is rather common: maintaining IIS and/or MSSQL Windows 200x
> servers in or Not in Active Directory.
>
> I have read plenty of white/black hat that suggests it is a reaaaally bad
> idea.
> I can think of a plethora of reasons why not to do it: hacked (Domain)
admin
> accounts, "Get one..get them all..", Trojan ginas, service accounts, port
> surface area, etc. Yet, there are still camps that support AD in a public
> facing(public internet) environment.
>
> So, here are my questions should you feel like responding:
> How many servers or users can you have in such a configuration?

We have 65,000 users and 3,000 machines in an exposed environment.

> Is AD a good idea at all for exposed servers?

Sure, if properly configured. Our compromised machines have always been
caused by lack of patches, not AD compromises.

> Is there a good alternative to AD for management?

Not that is centralized and convenient.

> How many companies put their public internet machines in AD?

Probably depends on the size of the company.

> Does MSFT really Suggest this?

Most Microsoft, like other vendors, documentation now says to put machines
behind firewalls. Documentation explaining how to configure publicly
exposed machines is hard to find.

• Next message: Roger Abell: "Re: Public facing IIS/MSSQL servers in AD?"
• Previous message: Jonathan Maltz [MS-MVP]: "Re: Can users that reboot a server be tracked?"
• In reply to: Tim Net: "Public facing IIS/MSSQL servers in AD?"
• Next in thread: Roger Abell: "Re: Public facing IIS/MSSQL servers in AD?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: [help] 1 cpu to rule them all ... >> configuration and maintenance in one place is a lot more economical than ... it isn't the price of the hardware that makes it ... > You can make things easier by having lots of machines that are virtually ... > directories) on servers. ... (comp.os.linux.hardware) Re: Creating and AD domain ... > None of these machines are reachable from the internet, ... > access the internet, using existing DHCP and DNS servers. ... > As of now, I've got a domain created, the domain controller is up and has ... (microsoft.public.windows.server.active_directory) Re: How to access I/O port directly in VC6.0? ... As soon as you have standalone machines, ... Their "security" as far as servers was a joke; ... discovered the internal wireless network was completely unencrypted. ... (microsoft.public.vc.mfc) Re: Web Services DNS Round Robin ... w/ a LB machine inbetwen holding the single IP w/ several machines behind ... or later, as a DNS server. ... Suppose you have 50 identical www.heaven.af.mil web servers running on IP ... (microsoft.public.dotnet.languages.csharp) Re: Groklaws "Bias" and the SCO DDoS Attack ... My machines will fall over before the downstream pipe fills up. ... LAN - again providing you have incoming links fast enough to make a ... You can put your web servers in the dmz and still not ... (comp.unix.sco.misc)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint