No one is drooling over wizards!
The only thing the wizard helps with is people who don't know the
product in the first place. SBS does DCPromo on its own. Yay. But what
happens when it breaks?
This isnt just an SBS problem, its wide spread. I have seen a steady
decline in peoples ability to troubleshoot.
And remote web workplace? Who in their right mind is going to allow a
pretty portal that presents all your systems on your network to be
available. The fact that you can google remote web workplace and get
hits for peoples site scares the $#!7 out of me.
Relax, people in 'Big Server Land' arent that jealous. We get cool
geewhiz enterprise tools like SMS and MOM =)
As for best practices, you need a place to start. And a proven place to
start makes it nice. As for the Win2k3 SP1 tool breaking SBS, your not
running plain vanilla win2k3. As you know, there were a lot more
compatiblity issues back in the NT4 bases SBS editions.
-----Original Message-----
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
[mailto:sbradcpa@pacbell.net]
Sent: Tuesday, January 18, 2005 1:46 PM
To: postmaster
Cc: Sullivan Tim P; focus-ms@securityfocus.com
Subject: Re: IIS6 on W2k3 DCs
...well... not exactly [sorry folks for hijacking this again] as we can
indeed expand and quite frankly big server folks are drooling over our
Remote Web workplace feature and Monitoring functions.
You hit the 75 max brick wall and we have a transition pack that
"un-does" the 75 limit and allows us to break the parts off into
separate boxes.
I'll be honest with you ...our biggest threat vector IMHO are stupid
passwords and that Mail server [smtp auth attacks and what not].
For small businesses in SBSland we truly recommend a web server on the
side in a DMZ or outsourcing the web site. [see even we don't want IIS
or any web site to be straight exposed on that DC]
I just cringe these days at the words "best practices" as I think it's
too "checklisty". I think you need to evaluate the entire
risk/threat/vulnerability factors in your network and know what works
for you. Like the upcoming Security Configuration Wizard coming out in
Windows 2003 sp1... you run that "best practice tool" on our SBS 2003
box and you break the monitoring email and you possibly break our
backup. Now tell me... how did that make me safer?
Susan
Depp, Dennis M. wrote:
Tim,
I find your comments interesting. "Organizations who want fault
tolerance put resources (AKA roles) on separate boxes." This has
nothing to do with fault tolerance. If I have a machine with 1 role or
a machine with 50 roles, it is still a single point of failure. The
fact that a machine with 50 roles affects more people does not make it
any more or less of a single point of failure. To eliminate the single
point of failure, I have to use some type of redundancy. In the case
of
domain controllers, this redundancy is accomplished by adding a
separate
domain controller. In the case of a web server, Network Load Balancing
can be used. In either case the cost of this redundancy is usually
double the hardware costs. For a Small Buisness, this is not
practical.
SBS helps small buisness by providing a lower priced alternative. The
drawback to SBS is it limits your expandability. For a small buisness
this may be a good trade off.
Dennis
Sullivan Tim P wrote:
SBS doesnt have a choice.
Your box is your domain controller, and its your exchange server, so
it
has to have IIS installed. No way around it. That doesnt mean its not
going against a common school of thought based on good sensible
practice.
This seems to be a common topic, but again the more you have on one
box,
the more you lose should that one box crash, have a hardware failure,
or
be stolen by gypsies. It then comes down to the tolerance level of
your
organization to something like this.
So....
Organizations who want fault tolerance put resources (AKA roles) on
seperate boxes. DC on one, mail on another, web server on another.
Your
web server may not even be on the domain.
So is the desktop the biggest threat, probobly, but your DC is (I
would
say) your most important machine on the network, and should be
protected
accordingly. Should it fail, AD, exchange, and everything else,
including your desktop's and user accounts, are gone. Have fun
restoring
from tape, or your ASR, if one was made.
Number of employees shouldn't dictate a choice between SBS and
sepearate
products, your mission requirements should.
Tim
-----Original Message-----
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
[mailto:sbradcpa@pacbell.net]
Sent: Thursday, January 13, 2005 8:12 PM
To: Joe Blatz
Cc: focus-ms@securityfocus.com
Subject: Re: IIS6 on W2k3 DCs
I may be laughed from here to kingdom come on this listserve...but I
gotta ask....
Common best practices for whom? Define a role please? What is
"common
best practices" may not be good enough for one person, but may be just
fine for another. What are they doing with this box? Exposing it to
the web as a web server...yeah I'd still argue that's insanity.
But Small Business Server 2003 runs with IIS on our domain controller.
Where's MY security risks these days? Not my server..nope......it's
my
desktops where my security risks lie.
Port 80 is closed on my server but IIS is still on there. On the
outside is Firewall, intrusion detection and what not. Running with XP
sp2 firewalls on the inside but still need to get to more use of user
mode on the desktop.
Am "I" freaking out over IIS on my domain controller? Nope. Not at
this moment. Am I freaking out over admin rights on desktops?
You betcha I am... big time.
www.threatcode.com
Susan...the wacko SBSer.
Joe Blatz wrote:
The security guides published by many sources (NSA, MS, etc) stated
that IIS4 and IIS5 do not belong on DCs. Common best practices would,
in general, guide that an HTTP (IIS or otherwise) daemon doesn't
belong
on DC.
By referring to numerous security guides written specifically for NT4
and W2k we were able to convince a customer of this. Now that IIS6
has
come out, and the customer feels that IIS6 is much safer than IIS4
and
IIS5, they want to put it back on their DCs.
I am looking for sources that document that this is a bad idea. When
it
comes to the NSA they don't have a guide for W2k3 but have instead
pointed to Microsoft's "Windows Server 2003 Security Guide" and the
use
of the "High Security" settings and templates. The MS guide does
(rather subtly) show that IIS should not be on a DC. They only show
the
HTTP service enabled on an IIS server, but I think this may not be
direct enough for our client.
Any help finding an explicit statement that IIS6 does not be belong
on
a DC would be greatly appreciated.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
---------------------------------------------------------------------
-
-
----
---------------------------------------------------------------------
-
-
----
----------------------------------------------------------------------
-
-
---
----------------------------------------------------------------------
-
-
---
----------------------------------------------------------------------
-
----
----------------------------------------------------------------------
-
----
-----------------------------------------------------------------------
-
---
-----------------------------------------------------------------------
-
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------
