Re: Should IIS svr NOT be in domain

• Previous message: Joe Richards [MVP]: "Re: Should IIS svr NOT be in domain"
• In reply to: Joe Richards [MVP]: "Re: Should IIS svr NOT be in domain"
• Next in thread: Karl Levinson, mvp: "Re: Should IIS svr NOT be in domain"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 09 Jun 2005 19:06:52 -0400

I forgot to respond to the SBS question.

IMO, SBS is a bad idea for lots of reasons. The major issue being running ANY
non-DC based services on a DC. These machines are chock full of vectors for
someone to have their AD ripped to shreds. On the positive side, the companies
that run these tend to be fairly small and rebuilding from scratch wouldn't be
the same task as it would be in say a Walmart or something like that.

If Bob's House of Bungie Cords couldn't log on for a couple of days, it wouldn't
be an earth shattering event.

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Joe Richards [MVP] wrote:
> 1. Yes it is a security risk. The risk being any compromise of that box 
> can cause information disclosure of data in your directory. Additionally 
> someone could possibly use the machine to cause a DOS attack on your 
> directory for your internal users.
> 
> You can try to secure a box but the cardinal rule is you can never say a 
> box is truly secure, you can only say that you aren't aware of any way 
> to exploit it. There is a world of difference there because there could 
> be someone better than you who does know how to compromise it or 
> something could come out later to compromise it. If you think this is 
> the way to go, I highly recommend using dual authentication for the 
> machine with the initial auth being a securid token or cert or something 
> like that you have to be successfull with prior to getting to enter a 
> Windows userid/password combination.
> 
> Additionally, the external internet should not be able to reach a 
> machine on your internal network unless you are using reverse proxy by 
> specific port. Period. Do not dual home, do not open your network up to 
> the internet, it is just silly.
> 
> 2. I would recommend a standalone unless you have multiple machines that 
> need to work with each other, if that is the case, then you want to set 
> up a small domain in the DMZ for all of the machines to utilize. This 
> domain nor any of the machines should not be able to reach back to the 
> intranet and should not be able to be directly reached from the intranet 
> except for maybe through an SSH port or TS.
> 
>   joe
> 
> 
> 
> -- 
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
> 
> 
> Georgia Sam wrote:
> 
>> We've got  one IIS server in our small network.  Customers access it 
>> from the outside (www & ftp). We have one AD domain.  I've heard that 
>> it's a security risk for the IIS server to be a domain member.
>>
>> 1) How true is that?  (I wonder because for example, MS markets SBS to 
>> be both a web server AND domain CONTROLER, gateway, etc.)  So how bad 
>> could it be to join a web server to the domain?
>>
>> 2) If it IS worthwhile to separate the web server from the domain, 
>> should it;
>> -be alone in it's own domain? (w/ no trusts)
>> -be a stand alone server?  And if so doesn't matter if the workgroup 
>> name is the same as the domain name?
>>
>> Thanks!
>>

• Previous message: Joe Richards [MVP]: "Re: Should IIS svr NOT be in domain"
• In reply to: Joe Richards [MVP]: "Re: Should IIS svr NOT be in domain"
• Next in thread: Karl Levinson, mvp: "Re: Should IIS svr NOT be in domain"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]