RE: IIS6 on W2k3 DCsJan 15 2005 05:14AM Sullivan Tim P (tim nativemode com) (1 replies)
Re: IIS6 on W2k3 DCsJan 17 2005 07:46PM Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (sbradcpa pacbell net)
We're going off topic here...but...
I just had a burglary this weekend and the fact that my SBS was in a
locked room meant that I went "oh bother" but didn't freak. And the
fact that the admin password on that desktop did not match any admin
password on the DC.
And yes we can restore... quite easily in fact, we have a wizard that
helps us with ensuring that we can.
And we have a backup wizard that walks us through ensuring that we
indeed have a backup and sends us a monitoring email to ensure that it's
working on a daily basis.
How many times in big server land do I see folks that don't have backups
and haven't tested them?
Too many. Way way too many.
Get good equipment from the get go and we don't have "single points of
failure issues" any more than you big guys do.
I still say these days my "weak spots" are obviously my workstations
both in terms of physical security and in terms of rights and
permissions. That's where I'm devoting my energies to these days.
Susan
Sullivan Tim P wrote:
>SBS doesnt have a choice.
>
>Your box is your domain controller, and its your exchange server, so it
>has to have IIS installed. No way around it. That doesnt mean its not
>going against a common school of thought based on good sensible
>practice.
>
>This seems to be a common topic, but again the more you have on one box,
>the more you lose should that one box crash, have a hardware failure, or
>be stolen by gypsies. It then comes down to the tolerance level of your
>organization to something like this.
>
>So....
>
>Organizations who want fault tolerance put resources (AKA roles) on
>seperate boxes. DC on one, mail on another, web server on another. Your
>web server may not even be on the domain.
>
>So is the desktop the biggest threat, probobly, but your DC is (I would
>say) your most important machine on the network, and should be protected
>accordingly. Should it fail, AD, exchange, and everything else,
>including your desktop's and user accounts, are gone. Have fun restoring
>from tape, or your ASR, if one was made.
>
>Number of employees shouldn't dictate a choice between SBS and sepearate
>products, your mission requirements should.
>
>Tim
>
>
>-----Original Message-----
>From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
>[mailto:sbradcpa (at) pacbell (dot) net [email concealed]]
>Sent: Thursday, January 13, 2005 8:12 PM
>To: Joe Blatz
>Cc: focus-ms (at) securityfocus (dot) com [email concealed]
>Subject: Re: IIS6 on W2k3 DCs
>
>I may be laughed from here to kingdom come on this listserve...but I
>gotta ask....
>
>Common best practices for whom? Define a role please? What is "common
>best practices" may not be good enough for one person, but may be just
>fine for another. What are they doing with this box? Exposing it to
>the web as a web server...yeah I'd still argue that's insanity.
>
>But Small Business Server 2003 runs with IIS on our domain controller.
>Where's MY security risks these days? Not my server..nope......it's my
>desktops where my security risks lie.
>
>Port 80 is closed on my server but IIS is still on there. On the
>outside is Firewall, intrusion detection and what not. Running with XP
>sp2 firewalls on the inside but still need to get to more use of user
>mode on the desktop.
>
>Am "I" freaking out over IIS on my domain controller? Nope. Not at
>this moment. Am I freaking out over admin rights on desktops?
>
>You betcha I am... big time.
>www.threatcode.com
>
>Susan...the wacko SBSer.
>
>Joe Blatz wrote:
>
>
>
>>The security guides published by many sources (NSA, MS, etc) stated
>>that IIS4 and IIS5 do not belong on DCs. Common best practices would,
>>in general, guide that an HTTP (IIS or otherwise) daemon doesn't belong
>>
>>
>
>
>
>>on DC.
>>
>>By referring to numerous security guides written specifically for NT4
>>and W2k we were able to convince a customer of this. Now that IIS6 has
>>come out, and the customer feels that IIS6 is much safer than IIS4 and
>>IIS5, they want to put it back on their DCs.
>>
>>I am looking for sources that document that this is a bad idea. When it
>>
>>
>
>
>
>>comes to the NSA they don't have a guide for W2k3 but have instead
>>pointed to Microsoft's "Windows Server 2003 Security Guide" and the use
>>
>>
>
>
>
>>of the "High Security" settings and templates. The MS guide does
>>(rather subtly) show that IIS should not be on a DC. They only show the
>>
>>
>
>
>
>>HTTP service enabled on an IIS server, but I think this may not be
>>direct enough for our client.
>>
>>Any help finding an explicit statement that IIS6 does not be belong on
>>a DC would be greatly appreciated.
>>
>>__________________________________________________
>>Do You Yahoo!?
>>Tired of spam? Yahoo! Mail has the best spam protection around
>>http://mail.yahoo.com
>>
>>----------------------------------------------------------------------
-
>>----
>>----------------------------------------------------------------------
-
>>----
>>
>>
>>
>>
>>
>>
>
>-----------------------------------------------------------------------
-
>---
>-----------------------------------------------------------------------
-
>---
>
>
>-----------------------------------------------------------------------
----
>-----------------------------------------------------------------------
----
>
>
>
>
I just had a burglary this weekend and the fact that my SBS was in a
locked room meant that I went "oh bother" but didn't freak. And the
fact that the admin password on that desktop did not match any admin
password on the DC.
And yes we can restore... quite easily in fact, we have a wizard that
helps us with ensuring that we can.
And we have a backup wizard that walks us through ensuring that we
indeed have a backup and sends us a monitoring email to ensure that it's
working on a daily basis.
How many times in big server land do I see folks that don't have backups
and haven't tested them?
Too many. Way way too many.
Get good equipment from the get go and we don't have "single points of
failure issues" any more than you big guys do.
I still say these days my "weak spots" are obviously my workstations
both in terms of physical security and in terms of rights and
permissions. That's where I'm devoting my energies to these days.
Susan
Sullivan Tim P wrote:
>SBS doesnt have a choice.
>
>Your box is your domain controller, and its your exchange server, so it
>has to have IIS installed. No way around it. That doesnt mean its not
>going against a common school of thought based on good sensible
>practice.
>
>This seems to be a common topic, but again the more you have on one box,
>the more you lose should that one box crash, have a hardware failure, or
>be stolen by gypsies. It then comes down to the tolerance level of your
>organization to something like this.
>
>So....
>
>Organizations who want fault tolerance put resources (AKA roles) on
>seperate boxes. DC on one, mail on another, web server on another. Your
>web server may not even be on the domain.
>
>So is the desktop the biggest threat, probobly, but your DC is (I would
>say) your most important machine on the network, and should be protected
>accordingly. Should it fail, AD, exchange, and everything else,
>including your desktop's and user accounts, are gone. Have fun restoring
>from tape, or your ASR, if one was made.
>
>Number of employees shouldn't dictate a choice between SBS and sepearate
>products, your mission requirements should.
>
>Tim
>
>
>-----Original Message-----
>From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
>[mailto:sbradcpa (at) pacbell (dot) net [email concealed]]
>Sent: Thursday, January 13, 2005 8:12 PM
>To: Joe Blatz
>Cc: focus-ms (at) securityfocus (dot) com [email concealed]
>Subject: Re: IIS6 on W2k3 DCs
>
>I may be laughed from here to kingdom come on this listserve...but I
>gotta ask....
>
>Common best practices for whom? Define a role please? What is "common
>best practices" may not be good enough for one person, but may be just
>fine for another. What are they doing with this box? Exposing it to
>the web as a web server...yeah I'd still argue that's insanity.
>
>But Small Business Server 2003 runs with IIS on our domain controller.
>Where's MY security risks these days? Not my server..nope......it's my
>desktops where my security risks lie.
>
>Port 80 is closed on my server but IIS is still on there. On the
>outside is Firewall, intrusion detection and what not. Running with XP
>sp2 firewalls on the inside but still need to get to more use of user
>mode on the desktop.
>
>Am "I" freaking out over IIS on my domain controller? Nope. Not at
>this moment. Am I freaking out over admin rights on desktops?
>
>You betcha I am... big time.
>www.threatcode.com
>
>Susan...the wacko SBSer.
>
>Joe Blatz wrote:
>
>
>
>>The security guides published by many sources (NSA, MS, etc) stated
>>that IIS4 and IIS5 do not belong on DCs. Common best practices would,
>>in general, guide that an HTTP (IIS or otherwise) daemon doesn't belong
>>
>>
>
>
>
>>on DC.
>>
>>By referring to numerous security guides written specifically for NT4
>>and W2k we were able to convince a customer of this. Now that IIS6 has
>>come out, and the customer feels that IIS6 is much safer than IIS4 and
>>IIS5, they want to put it back on their DCs.
>>
>>I am looking for sources that document that this is a bad idea. When it
>>
>>
>
>
>
>>comes to the NSA they don't have a guide for W2k3 but have instead
>>pointed to Microsoft's "Windows Server 2003 Security Guide" and the use
>>
>>
>
>
>
>>of the "High Security" settings and templates. The MS guide does
>>(rather subtly) show that IIS should not be on a DC. They only show the
>>
>>
>
>
>
>>HTTP service enabled on an IIS server, but I think this may not be
>>direct enough for our client.
>>
>>Any help finding an explicit statement that IIS6 does not be belong on
>>a DC would be greatly appreciated.
>>
>>__________________________________________________
>>Do You Yahoo!?
>>Tired of spam? Yahoo! Mail has the best spam protection around
>>http://mail.yahoo.com
>>
>>----------------------------------------------------------------------
-
>>----
>>----------------------------------------------------------------------
-
>>----
>>
>>
>>
>>
>>
>>
>
>-----------------------------------------------------------------------
-
>---
>-----------------------------------------------------------------------
-
>---
>
>
>-----------------------------------------------------------------------
----
>-----------------------------------------------------------------------
----
>
>
>
>
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]