This is the second time it has been addressed that IIS servers should
not be members of a domain. I would like to refute this notion. If I
only have one IIS server then this is OK. If I have a server farm,e
multiple IIS servers or an IIS server hitting a SQL database, then
placing the servers in an Active Directory domain greatly eases the
ability to mange these servers. Should this domain be the same as your
internal AD domain? NO! Your DMZ should have its own AD domain
preferably with no trust relationship between it and the internal
domain. The money you save in management with a DMZ domain will greatly
out weigh the cost of a Domain Controller. Also you should not have the
same usernames and passwords in the DMZ as you do in your AD domain.
The same is also true of a stand alone machine you would not want to use
you domain username and password on any machine in the DMZ.
Dennis
-----Original Message-----
From: Paul Smith [mailto:paullocal@pscs.co.uk]
Sent: Wednesday, July 20, 2005 3:56 AM
To: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]; Depp, Dennis M.
Cc: Jeff; focus-ms@securityfocus.com
Subject: Re: Should webservers, eg. IIS 6 have anti--virus installed on
them?
At 17:17 19/07/2005, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
wrote:
Okay..... so then
no OWA
no WSUS
no Sharepoint
We do get to do file and printing on this server or is that banned as
well? Define 'web server' folks because these days we 'are' running
IIS/web servers in our domains because [at least in the case of WSUS]
it's
actually helping us reduce risk and not increase it.
I'd say that if the web server is internet facing, then don't run
anything
on it unless you absolutely must, and I'd be very, very reluctant to put
them on a domain. They should preferably be in a DMZ with a firewall
between them and the Internet and another between the LAN and the
Internet
facing servers (or use a firewall with a built in 'DMZ' facility) - and
don't just allow anything between your LAN and the DMZ, but have tight
restrictions on both firewalls.
It's cheaper to buy another low cost server PC (a few hundred UKP) to
use
as your Internet facing web/mail/ftp server than it is to fix your main
domain server when it's been trashed..
If your web server is LAN facing only, then run whatever you want on it,
depending on your trust of your LAN users (IMHO). There's no harm in
running two web servers, one for OWA, WSUS, Sharepoint, etc for your
local
users, and one without the dangerous stuff for your customers. If you
have
remote users, set up VPNs and then they can access the internal web
server
through that.
Paul VPOP3 - Internet Email Server/Gateway
support@pscs.co.uk http://www.pscs.co.uk/
---------------------------------------------------------------------------
---------------------------------------------------------------------------
