| Groups | Blog | Home |
iis security : Pro's & Con's...
Hello all,
Before I get to babbling on, please feel free to correct me if I'm wrong at any point, and please forgive the massive long post for such a simple queery! I'm in the process of designing the infrastructure for when we move to Win2k network/domain. I'm not very experianced in IIS and was looking for some advice. One problem is our current NT Domain name is no longer relevant to the company, and so we want to tidy it up from a user perspective (logging on from internet). So our upgrade strategy includes moving to a new domain name of fashion.com. Unfortunatly NT/2k logon uses netbios for domain names, so our users would still have to use our old domain name. What I did discover is if IIS sits on a Domain Controller then there's no need no put a domain name in when logging on. However whilst having a quick browse through the jungle that is Microsoft.com I came across a statement that IIS and DC on the same box can cause replication issues, and put a heavy load on the server. Now to the point. There are a few ways of implementing IIS, but what are the pros and cons of having IIS sat on Domain Controller, or a member server, or in a different forest etc??? Are there any standard practices you could reccommend? Thanks for reading all this, any help is appreciated!
[quoted text, click to view]
"Matt Rowe" <matt.rowe@quantumclothing.com> wrote in message news:06b301c39c88$730bbbe0$a501280a@phx.gbl... > Hello all, > > Before I get to babbling on, please feel free to correct > me if I'm wrong at any point, and please forgive the > massive long post for such a simple queery! > > I'm in the process of designing the infrastructure for > when we move to Win2k network/domain. > I'm not very experianced in IIS and was looking for some > advice. > One problem is our current NT Domain name is no longer > relevant to the company, and so we want to tidy it up from > a user perspective (logging on from internet). So our > upgrade strategy includes moving to a new domain name of > fashion.com. Unfortunatly NT/2k logon uses netbios for > domain names, so our users would still have to use our old > domain name. What I did discover is if IIS sits on a > Domain Controller then there's no need no put a domain > name in when logging on. Is your primary concern the ability for user to logon without typing the domain? If so, just set the default domain ... http://support.microsoft.com/?kbid=168908 -- Tom Kaminski IIS MVP http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS http://mvp.support.microsoft.com/ http://www.microsoft.com/windowsserver2003/community/centers/iis/
In article <06b301c39c88$730bbbe0$a501280a@phx.gbl>,
matt.rowe@quantumclothing.com says... [quoted text, click to view] > Hello all, > > Before I get to babbling on, please feel free to correct > me if I'm wrong at any point, and please forgive the > massive long post for such a simple queery! > > I'm in the process of designing the infrastructure for > when we move to Win2k network/domain. > I'm not very experianced in IIS and was looking for some > advice. > One problem is our current NT Domain name is no longer > relevant to the company, and so we want to tidy it up from > a user perspective (logging on from internet). So our > upgrade strategy includes moving to a new domain name of > fashion.com. Unfortunatly NT/2k logon uses netbios for > domain names, so our users would still have to use our old > domain name. What I did discover is if IIS sits on a > Domain Controller then there's no need no put a domain > name in when logging on. However whilst having a quick > browse through the jungle that is Microsoft.com I came > across a statement that IIS and DC on the same box can > cause replication issues, and put a heavy load on the > server. > > Now to the point. > There are a few ways of implementing IIS, but what are the > pros and cons of having IIS sat on Domain Controller, or a > member server, or in a different forest etc??? > Are there any standard practices you could reccommend? NEVER INSTALL IIS ON A PUBLIC BOX THAT IS A MEMBER OF YOUR DOMAIN. Your IIS box should sit in an isolated network (DMZ) and be fully protected by a firewall. It should NOT be a domain controller, unless it acts as it's own domain and has NO connection to your local network/domain. If you want to use authentication, then do so through the web application, not through NT user accounts. In other words, if your site is providing user services, have them log into an application where their user/pws is checked against a database table (or xml file) and not with the OS. If you put your site on a DC that sits in your local network you are going to get compromised - esp. if you let users have real network accounts. I say this after having managed and designed thousands of IIS sites and never having had any of them compromised, but I've seen other designers sites hacked before they were done installing them. -- -- spamfree999@rrohio.com
[quoted text, click to view] "Leythos" <void@nowhere.com> wrote in message news:MPG.1a06ff35b6295a78989d90@news-server.columbus.rr.com... > In article <06b301c39c88$730bbbe0$a501280a@phx.gbl>, > matt.rowe@quantumclothing.com says... > > Now to the point. > > There are a few ways of implementing IIS, but what are the > > pros and cons of having IIS sat on Domain Controller, or a > > member server, or in a different forest etc??? > > Are there any standard practices you could reccommend? > > NEVER INSTALL IIS ON A PUBLIC BOX THAT IS A MEMBER OF YOUR DOMAIN. Agreed. Putting IIS onto a domain controller might be acceptable IF you are a small organization with not a lot of money for extra servers, and the server is not visible from the Internet, and keeping the server secure from internal users is not a big concern for you.
In article <OGqWZ3TnDHA.2488@TK2MSFTNGP12.phx.gbl>,
levinson_k@despammed.com says... [quoted text, click to view] > > "Leythos" <void@nowhere.com> wrote in message > news:MPG.1a06ff35b6295a78989d90@news-server.columbus.rr.com... > > In article <06b301c39c88$730bbbe0$a501280a@phx.gbl>, > > matt.rowe@quantumclothing.com says... > > > > Now to the point. > > > There are a few ways of implementing IIS, but what are the > > > pros and cons of having IIS sat on Domain Controller, or a > > > member server, or in a different forest etc??? > > > Are there any standard practices you could reccommend? > > > > NEVER INSTALL IIS ON A PUBLIC BOX THAT IS A MEMBER OF YOUR DOMAIN. > > Agreed. Putting IIS onto a domain controller might be acceptable IF you are > a small organization with not a lot of money for extra servers, and the > server is not visible from the Internet, and keeping the server secure from > internal users is not a big concern for you. You can purchase a box with Windows 2000 Standard for about $1500 from Dell. Think about how much down time and data loss you will have if you are compromised because you went the CHEAP way? I've installed Exchangee and ran the company HTML only website on a single box, but the box sat in the DMZ and had no DMZ>LAN rules. The server required authentication for email every time you accessed it, but if it ever gets hacked they can't get back into the company LAN. -- -- spamfree999@rrohio.com
On Mon, 27 Oct 2003 04:47:15 -0800, "Matt Rowe"
[quoted text, click to view] <matt.rowe@quantumclothing.com> wrote: >Hello all, > >Before I get to babbling on, please feel free to correct >me if I'm wrong at any point, and please forgive the >massive long post for such a simple queery! > >I'm in the process of designing the infrastructure for >when we move to Win2k network/domain. >I'm not very experianced in IIS and was looking for some >advice. >One problem is our current NT Domain name is no longer >relevant to the company, and so we want to tidy it up from >a user perspective (logging on from internet). So our >upgrade strategy includes moving to a new domain name of >fashion.com. Unfortunatly NT/2k logon uses netbios for >domain names, so our users would still have to use our old >domain name. What I did discover is if IIS sits on a >Domain Controller then there's no need no put a domain >name in when logging on. However whilst having a quick >browse through the jungle that is Microsoft.com I came >across a statement that IIS and DC on the same box can >cause replication issues, and put a heavy load on the >server. > >Now to the point. >There are a few ways of implementing IIS, but what are the >pros and cons of having IIS sat on Domain Controller, or a >member server, or in a different forest etc??? Pros - Not really any. Cons - Plenty. From the replication issues you mention, to the security aspect of running under a domain account and so on. [quoted text, click to view] >Are there any standard practices you could reccommend? IIS on a stand-alone server, outside the firewall, for external access. A separate internal IIS for intranet use. VPN's if users need to connect from outside. Oh, and fashion.com is taken.
[quoted text, click to view] "Leythos" <void@nowhere.com> wrote in message news:MPG.1a0821559fac48f2989d99@news-server.columbus.rr.com... > You can purchase a box with Windows 2000 Standard for about $1500 from > Dell. Think about how much down time and data loss you will have if you > are compromised because you went the CHEAP way? Agreed, though there are some organizations [think churches, non-profits, small home offices, dentists offices, etc.] that may want to share files or information via HTTP and can't afford $1500. MS Small Business Server is relatively popular, even though [if I understand correctly] a typical SBS configuration puts the firewall, email server and domain controller on the same single server.
Give me a call, I think I know how to sort this out
From http://www.developmentnow.com/g/91_2003_10_0_0_363853/Pros-Cons--.htm Posted via DevelopmentNow.com Groups
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |