Derek,
I agree with your points as to why not to put IIS on a DC. It sounds as
if your boss isn't looking at security though. If he's only looking at
cost and performance I'd have to ask why the 2nd domain? Is it a
separate forest? With a two-way transitive trust between domains in a
forest there's no security boundary there. Tell him to scrap the 2nd
domain and let you have those two servers for IIS.
Also, while the Windows Server 2003 Security Guide doesn't say "Never
ever have your production IIS servers be domain controllers" you could
look at the IIS section and conclude since the IPSec policy they say you
should apply to an IIS server would stop a DC from correctly
functioning, that a DC should not be an IIS server.
Brady
-----Original Message-----
From: Derick Anderson [mailto:danderson@vikus.com]
Sent: Monday, September 26, 2005 2:02 PM
To: Focus-MS
Subject: Active Directory and IIS on production servers, and clustering
The company I work for (as the only systems administrator) is
considering a new implementation of their web-based software. To support
this we will be splitting our single domain into two domains, one for
production servers and one for employee support (file servers and
employee workstations). We'll be using at least two IIS servers as a
front-end to a custom-built service in the production domain.
We are a fairly small company and my CIO does not believe we should
invest money in two dedicated domain controllers for the production
domain. He thinks that because Active Directory is not resource
intensive that it wouldn't be a problem to make the IIS servers domain
controllers. (The back-end servers, except for SQL Server 2000, would
not require Windows Server 2003.) I disagree completely, for several
reasons that I thought were obvious:
1. Separation of roles is essential to security as well as reliability.
2. Highly sensitive services such as internal DNS and Active Directory
should never reside on a publicly accessible server.
3. In general, web applications are the biggest attack surface of any
organization in terms of threat volume and relative ease of
exploitation.
I'd appreciate any thoughts on this as I am fighting to follow best
practices in our server environments. I've been reading the Windows
Server 2003 Security Guide which unfortunately lacks the "Never ever
have your production IIS servers be domain controllers" statement but
implies Reasons #1 and #2 with its approach to server hardening.
My second question has to do with clustering: we plan to eventually
cluster the IIS servers. What impact does that have on Active Directory
services?
Thanks,
Derick Anderson
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------
