Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] Re: Active Directory and IIS on production servers, an

from [Reto Inversini] Network Security [Permanent Link]
Subject: [Full-disclosure] Re: Active Directory and IIS on production servers, and clustering
Date: Wed, 28 Sep 2005 22:23:21 +0200 
Hi,

Derick Anderson schrieb:

The company I work for (as the only systems administrator) is
considering a new implementation of their web-based software. To support
this we will be splitting our single domain into two domains, one for
production servers and one for employee support (file servers and
employee workstations). We'll be using at least two IIS servers as a
front-end to a custom-built service in the production domain.


<...>



1. Separation of roles is essential to security as well as reliability.
2. Highly sensitive services such as internal DNS and Active Directory
should never reside on a publicly accessible server.


Yep. Another thing is, that you should harden your system. The more
services are needed the more complicated a system hardening (and
debugging, if something breaks) is. The more services are running, the
bigger the exposure is.


3. In general, web applications are the biggest attack surface of any
organization in terms of threat volume and relative ease of
exploitation.


Perfectly right. And they are also a good target for (D)DOS attacks ...
And you could also argument by the need of a network segmentation. A
publicly available webserver belongs in a DMZ.


I'd appreciate any thoughts on this as I am fighting to follow best
practices in our server environments. I've been reading the Windows
Server 2003 Security Guide which unfortunately lacks the "Never ever
have your production IIS servers be domain controllers" statement but
implies Reasons #1 and #2 with its approach to server hardening.


If you don't want to buy hardware, but invest a little bit in software,
you could consider using VMWare or Virtual Server to build up your
environment. But of course, if you do that, you have to trust the
virtualization techniques :-)


My second question has to do with clustering: we plan to eventually
cluster the IIS servers. What impact does that have on Active Directory
services?


Don't do it - clustered webservers are a pain in the ass. If you want to
gain flexibility and availability use a dedicated load balancer.
Clustering a webserver just adds another level of complexity.


Thanks,

Derick Anderson


Regards
Reto Inversini

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] Re: Active Directory and IIS on production servers, and clustering, Reto Inversini <=
Previous by Date:  Re: [Full-disclosure] Is the Bottom Line Impacted by Security Breaches?, Valdis . Kletnieks
Next by Date:  Re: [Full-disclosure] IDS features (was: Suggestion for IDS), Kevin Pawloski
Previous by Thread:  RE: [Full-disclosure] Is the Bottom Line Impacted by Security Breaches?, Todd Towles
Next by Thread:  [Full-disclosure] Need comparison of netscreen and cyberguard, adnan habib
Indexes:  [Date] [Thread] [Top] [All Lists]