Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: IIS6 on W2k3 DCs

from [Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]] Network Security [Permanent Link]
Subject: Re: IIS6 on W2k3 DCs
Date: Sun, 16 Jan 2005 13:26:50 -0800
And I'll point you to the SBS newsgroups where we are running IIS on our DCs and our biggest issues is with passwords and SMTP auth attacks not with IIS on our DC. Sorry but you have to look at what you are protecting, the budget and the risks and balance this. I'm assuming that if the firm has spent the bucks to hire Joe they have the budget so tell them to shut up and take your advice :-)

We don get specifically "target hacked".

You have to look at the risk level folks. 

dcdave@att.net wrote:

As someone who helped write the NSA/NIST guides when I worked on the National Security Team, I recommend against running ANY unnecessary services on a Domain Controller. If a Domain Controller is compromised, so is your entire network. The risk here is in the HIGH category.
However, if circumstances (such as budget) dictate that it is *necessary* to run any other service on a DC, then
1) disable ALL other unnecessary services and ports
2) set file and ownership permissions correctly
3) Do appropriate lockdowns on both the Operating System AND every other service you have running INCLUDING IIS (there are enough guides out there I shouldn't need to include on here - if you don't know wherre to find them or you want one of mine, please reply off-list).
4) DO NOT connect a WAP to your DC :)
5) Position the DC behind multi-layered security
These are general instructions, you can quote to your client.
Then tell me who it is, so everyone can hack in and show them a screenshot of their most precious protected (not) information.
Why do businesses hire experts to advise them and then don't listen to the advice?
dcdave
--
CSO
InfoSec Group
703-626-6516

    -------------- Original message from "Susan Bradley, CPA aka Ebitz
    - SBS Rocks [MVP]" <sbradcpa@pacbell.net>: --------------


    > I may be laughed from here to kingdom come on this
    listserve...but I
    > gotta ask....
    >
    > Common best practices for whom? Define a role please? What is
    "common
    > best practices" may not be good enough for one person, but may
    be just
    > fine for another. What are they doing with this box? Exposing it to
    > the web as a web server...yeah I'd still argue that's insanity.
    >
    > But Small Business Server 2003 runs with IIS on our domain
    controller.
    > Where's MY security risks these days? Not my
    server..nope......it's my
    > desktops where my security risks lie.
    >
    > Port 80 is closed on my server but IIS is still on there. On the
    > outside is Firewall, intrusion detection and what not. Running
    with XP
    > sp2 firewalls on the inside but still need to get to more use of
    user
    > mode on the desktop.
    >
    > Am "I" freaking out over IIS on my domain controller? Nope. Not at
    > this moment. Am I freaking out over admin rights on desktops?
    >
    > You betcha I am... big time.
    > www.threatcode.com
    >
    > Susan...the wacko SBSer.
    >
    > Joe Blatz wrote:
    >
    > >The security guides published by many sources (NSA,
    > >MS, etc) stated that IIS4 and IIS5 do not belong on
    > >DCs. Common best practices would, in general, guide
    > >that an HTTP (IIS or otherwise) daemon doesn't belong
    > >on DC.
    > >
    > >By referring to numerous security guides written
    > >specifically for NT4 and W2k we were able to convince
    > >a customer of this. Now that IIS6 has come out, and
    > >the customer feels that IIS6 is much safer than IIS4
    > >and IIS5, they wan! t to put it back on their DCs.
    > >
    > >I am looking for sources that document that this is a
    > >bad idea. When it comes to the NSA they don't have a
    > >guide for W2k3 but have instead pointed to Microsoft's
    > >"Windows Server 2003 Security Guide" and the use of
    > >the "High Security" settings and templates. The MS
    > >guide does (rather subtly) show that IIS should not be
    > >on a DC. They only show the HTTP service enabled on an
    > >IIS server, but I think this may not be direct enough
    > >for our client.
    > >
    > >Any help finding an explicit statement that IIS6 does
    > >not be belong on a DC would be greatly appreciated.
    > >
    > >__________________________________________________
    > >Do You Yahoo!?
    > >Tired of spam? Yahoo! Mail has the best spam protection around
    > >http://mail.yahoo.com
    > >
    >
    >---------------------------------------------------------------------------

    >
    >---------------------------------------------------------------------------

    > >
    > >
    > >
    > >
    >
    >
    ---------------------------------------------------------------------------

    >
    ---------------------------------------------------------------------------

> 


---------------------------------------------------------------------------
---------------------------------------------------------------------------

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: IIS6 on W2k3 DCs, Sullivan Tim P
Next by Date:  RE: PGP and Outlook, Paul Kurczaba
Previous by Thread:  Re: IIS6 on W2k3 DCs, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
Next by Thread:  RE: IIS6 on W2k3 DCs, Eric McCarty
Indexes:  [Date] [Thread] [Top] [All Lists]