In the IIS 5 days there would be no question, no hesitation whatsoever
in the answer. IIS 6 has proven itself to be way more robust and thus I
personally have a hesitation is blindly saying "it's a best practice you
know...."
Maybe it's just my wacko thinking but I'd look at the overall network
vulnerability profile [workstations/servers etc] and try to get everyone
on 2k3 and xp sp2 if you didn't already have them on that platform,
killing off Local admin, more control, etc etc..
Have you done a Network threat model [the whole data flow diagram] thing?
Also you say "web applications are the biggest attack surface"... one
could argue that should be modified by saying "crappy web apps are the
biggest...."
I'm assuming that this web app has been reviewed for secure coding
guidelines and best practices as well?
Derick Anderson wrote:
>The company I work for (as the only systems administrator) is
>considering a new implementation of their web-based software. To support
>this we will be splitting our single domain into two domains, one for
>production servers and one for employee support (file servers and
>employee workstations). We'll be using at least two IIS servers as a
>front-end to a custom-built service in the production domain.
>
>We are a fairly small company and my CIO does not believe we should
>invest money in two dedicated domain controllers for the production
>domain. He thinks that because Active Directory is not resource
>intensive that it wouldn't be a problem to make the IIS servers domain
>controllers. (The back-end servers, except for SQL Server 2000, would
>not require Windows Server 2003.) I disagree completely, for several
>reasons that I thought were obvious:
>
>1. Separation of roles is essential to security as well as reliability.
>2. Highly sensitive services such as internal DNS and Active Directory
>should never reside on a publicly accessible server.
>3. In general, web applications are the biggest attack surface of any
>organization in terms of threat volume and relative ease of
>exploitation.
>
>I'd appreciate any thoughts on this as I am fighting to follow best
>practices in our server environments. I've been reading the Windows
>Server 2003 Security Guide which unfortunately lacks the "Never ever
>have your production IIS servers be domain controllers" statement but
>implies Reasons #1 and #2 with its approach to server hardening.
>
>My second question has to do with clustering: we plan to eventually
>cluster the IIS servers. What impact does that have on Active Directory
>services?
>
>Thanks,
>
>Derick Anderson
>
>-----------------------------------------------------------------------
----
>-----------------------------------------------------------------------
----
>
>
>
>
In the IIS 5 days there would be no question, no hesitation whatsoever
in the answer. IIS 6 has proven itself to be way more robust and thus I
personally have a hesitation is blindly saying "it's a best practice you
know...."
Maybe it's just my wacko thinking but I'd look at the overall network
vulnerability profile [workstations/servers etc] and try to get everyone
on 2k3 and xp sp2 if you didn't already have them on that platform,
killing off Local admin, more control, etc etc..
Have you done a Network threat model [the whole data flow diagram] thing?
Also you say "web applications are the biggest attack surface"... one
could argue that should be modified by saying "crappy web apps are the
biggest...."
I'm assuming that this web app has been reviewed for secure coding
guidelines and best practices as well?
Derick Anderson wrote:
>The company I work for (as the only systems administrator) is
>considering a new implementation of their web-based software. To support
>this we will be splitting our single domain into two domains, one for
>production servers and one for employee support (file servers and
>employee workstations). We'll be using at least two IIS servers as a
>front-end to a custom-built service in the production domain.
>
>We are a fairly small company and my CIO does not believe we should
>invest money in two dedicated domain controllers for the production
>domain. He thinks that because Active Directory is not resource
>intensive that it wouldn't be a problem to make the IIS servers domain
>controllers. (The back-end servers, except for SQL Server 2000, would
>not require Windows Server 2003.) I disagree completely, for several
>reasons that I thought were obvious:
>
>1. Separation of roles is essential to security as well as reliability.
>2. Highly sensitive services such as internal DNS and Active Directory
>should never reside on a publicly accessible server.
>3. In general, web applications are the biggest attack surface of any
>organization in terms of threat volume and relative ease of
>exploitation.
>
>I'd appreciate any thoughts on this as I am fighting to follow best
>practices in our server environments. I've been reading the Windows
>Server 2003 Security Guide which unfortunately lacks the "Never ever
>have your production IIS servers be domain controllers" statement but
>implies Reasons #1 and #2 with its approach to server hardening.
>
>My second question has to do with clustering: we plan to eventually
>cluster the IIS servers. What impact does that have on Active Directory
>services?
>
>Thanks,
>
>Derick Anderson
>
>-----------------------------------------------------------------------
----
>-----------------------------------------------------------------------
----
>
>
>
>
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]