RE: IIS6 on W2k3 DCsJan 19 2005 01:16PM Depp, Dennis M. (deppdm ornl gov) (2 replies)
The fact that IIS can be made secure does not mean it should be
installed on a domain controller. When IIS is installed on a Domain
Controller the impact of a sucessful hack is much greater than when it
is installed on a member server. If I compromise an IIS machine, I can
gain access to all the user accounts stored on this machine. In the
case of a Domain Controller, this gives me access to every account in
the Domain. From here I have access to all the data stored on Windows
machines in your network.
If the machine that is compromised is a member IIS server the hacker
will only have access to the local accounts and passwords. While they
can still use this to attack the domain controllers, they will have some
additional effort involved.
While I can protect each IIS server equally well, the damage potential
of the IIS server on a DC is much greater. This is why it is considered
a best security practice not to place IIS on a DC.
Dennis
-----Original Message-----
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
[mailto:sbradcpa (at) pacbell (dot) net [email concealed]]
Sent: Wednesday, January 19, 2005 1:55 AM
To: Depp, Dennis M.
Cc: Sullivan Tim P; focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Re: IIS6 on W2k3 DCs
Aren't we all missing something here as far as this discussion of
additional protection and IIS in general?
Didn't an IIS server survive OpenHackIV with IIS, SQL and IPsec? [IIS
5 even]
*Using IPsec for Network Protection. Part 1 of 2*
Last month I introduced you to IPsec, a wonderful but sometimes
bewildering bit of technology. Now that you understand what it is and
how it works, this month I'd like to highlight IPSec's ability to help
solve three common security problems.
I know about it...but know that I need wizards to help me do it
right..... but that's just me. I like wizards to help me do my job.
Command lines that include "netsh ipsec static add filter" needs to be
made easier IMHO.
installed on a domain controller. When IIS is installed on a Domain
Controller the impact of a sucessful hack is much greater than when it
is installed on a member server. If I compromise an IIS machine, I can
gain access to all the user accounts stored on this machine. In the
case of a Domain Controller, this gives me access to every account in
the Domain. From here I have access to all the data stored on Windows
machines in your network.
If the machine that is compromised is a member IIS server the hacker
will only have access to the local accounts and passwords. While they
can still use this to attack the domain controllers, they will have some
additional effort involved.
While I can protect each IIS server equally well, the damage potential
of the IIS server on a DC is much greater. This is why it is considered
a best security practice not to place IIS on a DC.
Dennis
-----Original Message-----
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
[mailto:sbradcpa (at) pacbell (dot) net [email concealed]]
Sent: Wednesday, January 19, 2005 1:55 AM
To: Depp, Dennis M.
Cc: Sullivan Tim P; focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Re: IIS6 on W2k3 DCs
Aren't we all missing something here as far as this discussion of
additional protection and IIS in general?
Didn't an IIS server survive OpenHackIV with IIS, SQL and IPsec? [IIS
5 even]
http://www.microsoft.com/technet/community/columns/secmgmt/sm0105.mspx
http://www.microsoft.com/technet/community/columns/secmgmt/sm121504.mspx
*Using IPsec for Network Protection. Part 1 of 2*
Last month I introduced you to IPsec, a wonderful but sometimes
bewildering bit of technology. Now that you understand what it is and
how it works, this month I'd like to highlight IPSec's ability to help
solve three common security problems.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetse
c/html/openhack.asp
I know about it...but know that I need wizards to help me do it
right..... but that's just me. I like wizards to help me do my job.
Command lines that include "netsh ipsec static add filter" needs to be
made easier IMHO.
Susan
Depp, Dennis M. wrote:
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]