Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Active Directory and IIS on production servers, and clusterin g

from [Jim Stagg] Network Security [Permanent Link]
Subject: RE: Active Directory and IIS on production servers, and clusterin g
Date: Tue, 27 Sep 2005 14:26:09 -0400 
We're on the verge of an AD migration from an NT4-controlled domain, so I'm
no AD expert. But, I can speak to part of the issue. We have a web app built
on IIS with an MSSQL backend for authentication and client state.

Our design has always been that public bastion hosts are NOT domain
members... ever. Our MS Services guy blessed that as the Microsoft-supported
position (DB in the secured network with minimal access from the DMZ-based
IIS server, which in turn has only minimal access allowed from a
less-trusted network). Microsoft also specifically advises against a private
namespace being accessible from a public network.

In 2000, IIS is installed automatically when you select "domain controller."
That's no longer the case in 2003. There's a really good reason for that,
and I believe it's even mentioned here:

Best Practice Guide for Securing Active Directory Installations
http://www.microsoft.com/downloads/details.aspx?FamilyID=4e734065-3f18-488a-
be1e-f03390ec5f91&DisplayLang=en

...which includes:

Note
In contrast to Windows 2000 Server installation, Internet Information
Services (IIS) is not installed by default in Windows Server 2003
installation. IIS is not required on a domain controller, and eliminating
IIS reduces the attack surface on the domain controller.


--
Jim Stagg, Systems Administrator, S.P. Richards Co., 
770-803-5724 or jstagg@sprich.com,
6300 Highlands Pkwy., Smyrna GA 30081 
 


-----Original Message-----
From: Derick Anderson [mailto:danderson@vikus.com] 
Sent: Monday, September 26, 2005 2:02 PM
To: Focus-MS
Subject: Active Directory and IIS on production servers, and 
clustering

The company I work for (as the only systems administrator) is 
considering a new implementation of their web-based software. 
To support this we will be splitting our single domain into 
two domains, one for production servers and one for employee 
support (file servers and employee workstations). We'll be 
using at least two IIS servers as a front-end to a 
custom-built service in the production domain.
 
We are a fairly small company and my CIO does not believe we 
should invest money in two dedicated domain controllers for 
the production domain. He thinks that because Active 
Directory is not resource intensive that it wouldn't be a 
problem to make the IIS servers domain controllers. (The 
back-end servers, except for SQL Server 2000, would not 
require Windows Server 2003.) I disagree completely, for 
several reasons that I thought were obvious:

1. Separation of roles is essential to security as well as 
reliability.
2. Highly sensitive services such as internal DNS and Active 
Directory should never reside on a publicly accessible server.
3. In general, web applications are the biggest attack 
surface of any organization in terms of threat volume and 
relative ease of exploitation.

I'd appreciate any thoughts on this as I am fighting to 
follow best practices in our server environments. I've been 
reading the Windows Server 2003 Security Guide which 
unfortunately lacks the "Never ever have your production IIS 
servers be domain controllers" statement but implies Reasons 
#1 and #2 with its approach to server hardening.

My second question has to do with clustering: we plan to 
eventually cluster the IIS servers. What impact does that 
have on Active Directory services?

Thanks,

Derick Anderson

--------------------------------------------------------------
-------------
--------------------------------------------------------------
-------------



---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • RE: Active Directory and IIS on production servers, and clusterin g, Jim Stagg <=
Previous by Date:  RE: Active Directory and IIS on production servers, and clustering, Brady McClenon
Previous by Thread:  SecurityFocus Microsoft Newsletter #258, Marc Fossi
Indexes:  [Date] [Thread] [Top] [All Lists]