Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

AW: IIS6 on W2k3 DCs

from [Nelson Brandon] Network Security [Permanent Link]
Subject: AW: IIS6 on W2k3 DCs
Date: Fri, 21 Jan 2005 07:21:10 +0100 
My guess is that you can put IIS on a domain controler if and only if the

server is inside your private 

network and you are running some n-tier system and you have a tight budget.

So much for the Web server 

that is not exposed (inside your private network).


Technically, you could configure your firewall to allow all the necessary
ports between a DC/IIS Server
in your DMZ and your internal/green network. 

http://www.microsoft.com/serviceproviders/columns/config_ipsec_P63623.asp

Technically, lots of things are possible. IIS & DC, DMZ, internal network
bla bla bla ..
The question is, do the added security holes/dangers justify
the added functionality or cost savings. - My .02

Brandon



-----Ursprüngliche Nachricht-----
Von: calin oprea [mailto:calinoprea2004@yahoo.com] 
Gesendet: Donnerstag, 20. Januar 2005 09:18
An: focus-ms@securityfocus.com
Betreff: Re: IIS6 on W2k3 DCs


In-Reply-To: <20050113142952.5617.qmail@web52805.mail.yahoo.com>

Although I am just a humble professional, I feel that simple things should
be kept simple. The very reason that IIS should not be kept on a DC machine
is provided by Microsoft itself: the Web Edition of their 2003 Server.

Aside from that, there's a lot to do with your design: I mean you can have a
DMZ; I mean c'mon, if someone manages to hack your public network, the
private one is still isolated. That is for the Web server that is exposed.
My guess is that you can put IIS on a domain controler if and only if the
server is inside your private network and you are running some n-tier system
and you have a tight budget. So much for the Web server that is not exposed
(inside your private network).

regards,
io



The security guides published by many sources (NSA,
MS, etc) stated that IIS4 and IIS5 do not belong on
DCs. Common best practices would, in general, guide
that an HTTP (IIS or otherwise) daemon doesn't belong
on DC.

By referring to numerous security guides written
specifically for NT4 and W2k we were able to convince
a customer of this. Now that IIS6 has come out, and
the customer feels that IIS6 is much safer than IIS4
and IIS5, they want to put it back on their DCs.

I am looking for sources that document that this is a
bad idea. When it comes to the NSA they don't have a
guide for W2k3 but have instead pointed to Microsoft's
"Windows Server 2003 Security Guide" and the use of
the "High Security" settings and templates. The MS
guide does (rather subtly) show that IIS should not be
on a DC. They only show the HTTP service enabled on an
IIS server, but I think this may not be direct enough
for our client.

Any help finding an explicit statement that IIS6 does
not be belong on a DC would be greatly appreciated.


---------------------------------------------------------------------------
---------------------------------------------------------------------------

---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • AW: IIS6 on W2k3 DCs, Nelson Brandon <=
Previous by Date:  RE: Dhcp security, Shawn Wall
Next by Date:  ISA server logs, sanjiv
Previous by Thread:  RE: [Maybe Spam] Dhcp security, Phil Waller
Next by Thread:  Preventing multiple logins in 2003, Ian Turnbull
Indexes:  [Date] [Thread] [Top] [All Lists]