Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: IIS6 on W2k3 DCs

from [Fabrice Aubry] Network Security [Permanent Link]
Subject: Re: IIS6 on W2k3 DCs
Date: 14 Jan 2005 18:02:32 -0000 
In-Reply-To: <20050113142952.5617.qmail@web52805.mail.yahoo.com>

I don't think you will find somebody arguing that IIS6 must never be intalling 
on a domain controller.
As a CA will sometimes be installed on a DC (Management not wanting to give you 
a dedicated server), you will necessarely installed a really hardened IIS 6 
with limited support for ASP to make the Web Certificate enrollement page 
available.
As this is not best pratice, it's reality for lots of us.

In fact you're indirectly pointing the question on having multirole DC.
Reality, once again is that budget is a concern when chosing to have dedicated 
servers.
On another side, if you don"t have scripts, management/IDS software to monitor 
security, having fewer machines (even multirole) is better to have "keep a 
close eye".

Web Management interfaces with few highly authentificated users (Certificates) 
through W2K3/IIS6 is not a "security interdiction" to my point

Public Web sites, Intranets is another problem but comes to bad system design 
(Or Money) when run on DC's.

Fabrice Aubry
SysAdmin, Wanadoo Hosting   


Received: (qmail 15751 invoked from network); 13 Jan 2005 16:22:09 -0000
Received: from outgoing.securityfocus.com (HELO outgoing3.securityfocus.com) 
(205.206.231.27)
 by mail.securityfocus.com with SMTP; 13 Jan 2005 16:22:09 -0000
Received: from lists.securityfocus.com (lists.securityfocus.com 
[205.206.231.19])
      by outgoing3.securityfocus.com (Postfix) with QMQP
      id 1C7CB236F6C; Thu, 13 Jan 2005 09:06:01 -0700 (MST)
Mailing-List: contact focus-ms-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <focus-ms.list-id.securityfocus.com>
List-Post: <mailto:focus-ms@securityfocus.com>
List-Help: <mailto:focus-ms-help@securityfocus.com>
List-Unsubscribe: <mailto:focus-ms-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:focus-ms-subscribe@securityfocus.com>
Delivered-To: mailing list focus-ms@securityfocus.com
Delivered-To: moderator for focus-ms@securityfocus.com
Received: (qmail 21158 invoked from network); 13 Jan 2005 14:34:25 -0000
Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
 s=s1024; d=yahoo.com;
 
b=CwsaU5ix8GxkBeGCSTu0yTQfk6GK6ircYps8y7HVf9SbuU9/TAdHTL1A48sFWSrJ1ex1oitTpruAcqahhYGoji0Kf8kxiDJ28Xy7zaylhzRnFL9HbwuF4cS629UTfh02Yl0kGzmms548Q//TGoO9w2dErU8D6s1g+4VFd/7gAFE=
  ;
Message-ID: <20050113142952.5617.qmail@web52805.mail.yahoo.com>
Date: Thu, 13 Jan 2005 06:29:52 -0800 (PST)
From: Joe Blatz <sd_wireless@yahoo.com>
Subject: IIS6 on W2k3 DCs
To: focus-ms@securityfocus.com
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii

The security guides published by many sources (NSA,
MS, etc) stated that IIS4 and IIS5 do not belong on
DCs. Common best practices would, in general, guide
that an HTTP (IIS or otherwise) daemon doesn't belong
on DC.

By referring to numerous security guides written
specifically for NT4 and W2k we were able to convince
a customer of this. Now that IIS6 has come out, and
the customer feels that IIS6 is much safer than IIS4
and IIS5, they want to put it back on their DCs.

I am looking for sources that document that this is a
bad idea. When it comes to the NSA they don't have a
guide for W2k3 but have instead pointed to Microsoft's
"Windows Server 2003 Security Guide" and the use of
the "High Security" settings and templates. The MS
guide does (rather subtly) show that IIS should not be
on a DC. They only show the HTTP service enabled on an
IIS server, but I think this may not be direct enough
for our client.

Any help finding an explicit statement that IIS6 does
not be belong on a DC would be greatly appreciated.

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

---------------------------------------------------------------------------
---------------------------------------------------------------------------




---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: IIS6 on W2k3 DCs, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
Next by Date:  RE: IIS6 on W2k3 DCs, Harlan Carvey
Previous by Thread:  Re: IIS6 on W2k3 DCs, Security
Next by Thread:  RE: IIS6 on W2k3 DCs, Soluk, Kirk
Indexes:  [Date] [Thread] [Top] [All Lists]