Inline...
-----Original Message-----
From: Susan Bradley [mailto:sbradcpa@pacbell.net]
Sent: Tuesday, September 27, 2005 1:48 PM
To: Derick Anderson
Cc: Focus-MS
Subject: Re: Active Directory and IIS on production servers,
and clustering
Define 'small company'?
We've got 22 employees and 11 Windows-based servers (we also have a
Linux firewall and four Linux servers). Of the Windows servers, 7 are
absolutely essential to our production environment. We've just passed a
SAS70 type-II audit (somehow).
In the IIS 5 days there would be no question, no hesitation
whatsoever in the answer. IIS 6 has proven itself to be way
more robust and thus I personally have a hesitation is
blindly saying "it's a best practice you know...."
Maybe it's just my wacko thinking but I'd look at the overall
network vulnerability profile [workstations/servers etc] and
try to get everyone on 2k3 and xp sp2 if you didn't already
have them on that platform, killing off Local admin, more
control, etc etc..
Have you done a Network threat model [the whole data flow
diagram] thing?
I've been working on this but we are still in the small-business mindset
where we don't move forward until current resources are exhausted
(including old Windows licenses). Fortunately we've got everything
running at least Windows 2000 and our older computers are breaking.
I haven't started with a Network threat model as I've been concentrating
on the general hardening of our servers and workstations.
Also you say "web applications are the biggest attack
surface"... one could argue that should be modified by saying
"crappy web apps are the biggest...."
I'm assuming that this web app has been reviewed for secure
coding guidelines and best practices as well?
The application has not been reviewed for anything and I'm hoping to
push that once I take care of securing the network environment. At this
point (for me) it's an unknown.
Derick Anderson wrote:
The company I work for (as the only systems administrator) is
considering a new implementation of their web-based software. To
support this we will be splitting our single domain into two
domains,
one for production servers and one for employee support
(file servers
and employee workstations). We'll be using at least two IIS
servers as
a front-end to a custom-built service in the production domain.
We are a fairly small company and my CIO does not believe we should
invest money in two dedicated domain controllers for the production
domain. He thinks that because Active Directory is not resource
intensive that it wouldn't be a problem to make the IIS
servers domain
controllers. (The back-end servers, except for SQL Server
2000, would
not require Windows Server 2003.) I disagree completely, for several
reasons that I thought were obvious:
1. Separation of roles is essential to security as well as
reliability.
2. Highly sensitive services such as internal DNS and Active
Directory
should never reside on a publicly accessible server.
3. In general, web applications are the biggest attack
surface of any
organization in terms of threat volume and relative ease of
exploitation.
I'd appreciate any thoughts on this as I am fighting to follow best
practices in our server environments. I've been reading the Windows
Server 2003 Security Guide which unfortunately lacks the "Never ever
have your production IIS servers be domain controllers"
statement but
implies Reasons #1 and #2 with its approach to server hardening.
My second question has to do with clustering: we plan to eventually
cluster the IIS servers. What impact does that have on
Active Directory
services?
Thanks,
Derick Anderson
Derick Anderson
---------------------------------------------------------------------------
---------------------------------------------------------------------------
