The company I work for (as the only systems administrator) is
considering a new implementation of their web-based software. To support
this we will be splitting our single domain into two domains, one for
production servers and one for employee support (file servers and
employee workstations). We'll be using at least two IIS servers as a
front-end to a custom-built service in the production domain.
We are a fairly small company and my CIO does not believe we should
invest money in two dedicated domain controllers for the production
domain. He thinks that because Active Directory is not resource
intensive that it wouldn't be a problem to make the IIS servers domain
controllers. (The back-end servers, except for SQL Server 2000, would
not require Windows Server 2003.) I disagree completely, for several
reasons that I thought were obvious:
1. Separation of roles is essential to security as well as reliability.
2. Highly sensitive services such as internal DNS and Active Directory
should never reside on a publicly accessible server.
3. In general, web applications are the biggest attack surface of any
organization in terms of threat volume and relative ease of
exploitation.
I'd appreciate any thoughts on this as I am fighting to follow best
practices in our server environments. I've been reading the Windows
Server 2003 Security Guide which unfortunately lacks the "Never ever
have your production IIS servers be domain controllers" statement but
implies Reasons #1 and #2 with its approach to server hardening.
My second question has to do with clustering: we plan to eventually
cluster the IIS servers. What impact does that have on Active Directory
services?
considering a new implementation of their web-based software. To support
this we will be splitting our single domain into two domains, one for
production servers and one for employee support (file servers and
employee workstations). We'll be using at least two IIS servers as a
front-end to a custom-built service in the production domain.
We are a fairly small company and my CIO does not believe we should
invest money in two dedicated domain controllers for the production
domain. He thinks that because Active Directory is not resource
intensive that it wouldn't be a problem to make the IIS servers domain
controllers. (The back-end servers, except for SQL Server 2000, would
not require Windows Server 2003.) I disagree completely, for several
reasons that I thought were obvious:
1. Separation of roles is essential to security as well as reliability.
2. Highly sensitive services such as internal DNS and Active Directory
should never reside on a publicly accessible server.
3. In general, web applications are the biggest attack surface of any
organization in terms of threat volume and relative ease of
exploitation.
I'd appreciate any thoughts on this as I am fighting to follow best
practices in our server environments. I've been reading the Windows
Server 2003 Security Guide which unfortunately lacks the "Never ever
have your production IIS servers be domain controllers" statement but
implies Reasons #1 and #2 with its approach to server hardening.
My second question has to do with clustering: we plan to eventually
cluster the IIS servers. What impact does that have on Active Directory
services?
Thanks,
Derick Anderson
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]