"Leythos" <void@nowhere.lan> wrote in message =
news:MPG.1c5c684de139b2b989fb1@news-server.columbus.rr.com...
> In article <u9MtVVJAFHA.1300@TK2MSFTNGP14.phx.gbl>, carlfenley-X-@-X-
> san.rr.com says...
> > I do want to begin forwarding port 80 after I complete the new =

>=20
> As long as you don't have anything on the 2003 server that you care=20
> about, then it's perfectly fine to just expose port 80 and wait for it =

> to get attacked/hacked.
>=20
> If you want to do it properly, you need to be thinking about some of =
the=20
> following:
>=20
> 1) Web servers should NOT be part of the trusted domain, actually =
there=20
> is not valid reason I've come across to make them part of the domain.
>=20
> 2) Web servers should not be in the same networks as trusted computers =
-=20
> separate them via a firewall and only map ports between the LAN<>DMZ =
for=20
> the necessary access, never for domain level authentication.
>=20
> 3) SQL servers should not be in the DMZ or running on the web server.
>=20
> 4) If you are forced to run SQL Server on the web server, you do not=20
> want to set up the server as a DOMAIN, there is no reason to use=20
> Network/Domain user accounts to access the SQL server - use a SQL user =

> logon from the web app. Do not use the SA account in your =
web/odbc/other=20
> scripts to access the database - create a User in SQL that you code =
for.
>=20
> 5) SQL server as a back-end to the web requires a CPU license for SQL=20
> server unless you are running SBS - those cost about $5,000 retail=20
> (each).
>=20
> 6) The web server should NOT have any user accounts with the same =
names=20
> or passwords as any other computer in the network - rename the=20
> Administrator account to something else - use a 14 character password.
>=20
> 7) Install IIS and all IIS components on a different partition than =
the=20
> Operating system - try creating a "F" partition, C & D are often coded =

> into hacks, but F through Z are not used in even 1% of the hacks I've=20
> seen.
>=20
> 8) Remove access to system files from the IIS user accounts - remove =
ALL=20
> access to CMD and programs like it from anyone except the =
Administrator=20
> account - there is no reason that anyone other than the Administrator=20
> really needs access to it on a web server.
>=20
> 9) Consider (strongly) using authentication for visitors - since this =
is=20
> a family web server setup a single USER account with a big password,=20
> tell the family about it - block Anonymous access and require they use =

> the user/password to see ANY page. This one thing will help a lot.
>=20
> 10) Install server quality antivirus software.
>=20
> 11) Do not install anything that is not 110% needed - remove/disable =
all=20
> services that you don't actually need.
>=20
> 12) Patch/Update/run the BSA several times.
>=20
> 13) Have all the router logs sent to a second computer/server and READ =

> THEM frequently, looking for inbound attempts - also read the IIS =
logs.
>=20
> I know this sounds like a lot, but I've been running IIS since version =

> 4, have corporate customers (fortune 500) with IIS on public servers,=20
> and have never been compromised - ever. It's worth the effort to me.
>=20
> If you can't afford a second license, consider 2003 Web Server =
edition,=20
> it's cheap.
>=20
> --=20

<carlfenley-X-@-X-san.rr.com> wrote:

>I am preparing to migrtate my Server 2003 Enterprise Edition to new hardware and will likely reinstall. I am currently running IIS 6.0 and SQL Server on my Domain Controller, which is not recommended according to the MBSA. However, I am not currently fowarding ANY ports from my router to the server. So only family members can access those features from computers in this house.
>
>I do want to begin forwarding port 80 after I complete the new installation and begin serving standard web pages and ASP applications to the Internet. Assuming very low traffic (less than 25 visitors per day) and customary security settings and procedures, how much should I be concerned about having IIS and my Domain Controller on the same computer? Does your answer change if I enable the FTP server and begin forwarding the corresponding port?
>
>My reluctance is that I already have a workstation and a server for my personal use and only one Windows Server 2003 license. I am loathe to keep a third computer running Windows 2000 Advanced Server just to be a domain controller, but would consider it depending on the level of alarm presented in the resposes to this post.

> I do want to begin forwarding port 80 after I complete the new installation and begin serving standard web pages and ASP applications to the Internet. Assuming very low traffic (less than 25 visitors per day) and customary security settings and procedures, how much should I be concerned about having IIS and my Domain Controller on the same computer? Does your answer change if I enable the FTP server and begin forwarding the corresponding port?

> "Leythos" <void@nowhere.lan> wrote in message news:MPG.1c5c684de139b2b989fb1@news-server.columbus.rr.com...
> > In article <u9MtVVJAFHA.1300@TK2MSFTNGP14.phx.gbl>, carlfenley-X-@-X-
> > san.rr.com says...
> > > I do want to begin forwarding port 80 after I complete the new installation and begin serving standard web pages and ASP applications to the Internet. Assuming very low traffic (less than 25 visitors per day) and customary security settings and procedures, how much should I be concerned about having IIS and my Domain Controller on the same computer? Does your answer change if I enable the FTP server and begin forwarding the corresponding port?
> >
> > As long as you don't have anything on the 2003 server that you care
> > about, then it's perfectly fine to just expose port 80 and wait for it
> > to get attacked/hacked.
> >
> > If you want to do it properly, you need to be thinking about some of the
> > following:
> >
> > 1) Web servers should NOT be part of the trusted domain, actually there
> > is not valid reason I've come across to make them part of the domain.
> >
> > 2) Web servers should not be in the same networks as trusted computers -
> > separate them via a firewall and only map ports between the LAN<>DMZ for
> > the necessary access, never for domain level authentication.
> >
> > 3) SQL servers should not be in the DMZ or running on the web server.
> >
> > 4) If you are forced to run SQL Server on the web server, you do not
> > want to set up the server as a DOMAIN, there is no reason to use
> > Network/Domain user accounts to access the SQL server - use a SQL user
> > logon from the web app. Do not use the SA account in your web/odbc/other
> > scripts to access the database - create a User in SQL that you code for.
> >
> > 5) SQL server as a back-end to the web requires a CPU license for SQL
> > server unless you are running SBS - those cost about $5,000 retail
> > (each).
> >
> > 6) The web server should NOT have any user accounts with the same names
> > or passwords as any other computer in the network - rename the
> > Administrator account to something else - use a 14 character password.
> >
> > 7) Install IIS and all IIS components on a different partition than the
> > Operating system - try creating a "F" partition, C & D are often coded
> > into hacks, but F through Z are not used in even 1% of the hacks I've
> > seen.
> >
> > 8) Remove access to system files from the IIS user accounts - remove ALL
> > access to CMD and programs like it from anyone except the Administrator
> > account - there is no reason that anyone other than the Administrator
> > really needs access to it on a web server.
> >
> > 9) Consider (strongly) using authentication for visitors - since this is
> > a family web server setup a single USER account with a big password,
> > tell the family about it - block Anonymous access and require they use
> > the user/password to see ANY page. This one thing will help a lot.
> >
> > 10) Install server quality antivirus software.
> >
> > 11) Do not install anything that is not 110% needed - remove/disable all
> > services that you don't actually need.
> >
> > 12) Patch/Update/run the BSA several times.
> >
> > 13) Have all the router logs sent to a second computer/server and READ
> > THEM frequently, looking for inbound attempts - also read the IIS logs.
> >
> > I know this sounds like a lot, but I've been running IIS since version
> > 4, have corporate customers (fortune 500) with IIS on public servers,
> > and have never been compromised - ever. It's worth the effort to me.
> >
> > If you can't afford a second license, consider 2003 Web Server edition,
> > it's cheap.
> >
> > --
>
> Out of curiosity, how does Small Business Server manage to securely run IIS, SharePoint, and Exchanger servers ALL on a DC where Windows 2003 should not?

"Vagabond Software" <carlfenley-X-@-X-san.rr.com> wrote in message =
news:u9MtVVJAFHA.1300@TK2MSFTNGP14.phx.gbl...

> Thanks for the replies and the advice. Like I said, it's not really a matter of money as I have the hardware and the Windows 2000 Advanced Server license, but I just don't want the added machine to manage. I think I will proceed as planned but with extreme caution and (hopefully) an adequate Disaster Recovery plan in the event of a successful breach.

"Vagabond Software" wrote:

> I am preparing to migrtate my Server 2003 Enterprise Edition to new hardware and will likely reinstall. I am currently running IIS 6.0 and SQL Server on my Domain Controller, which is not recommended according to the MBSA. However, I am not currently fowarding ANY ports from my router to the server. So only family members can access those features from computers in this house.
>
> I do want to begin forwarding port 80 after I complete the new installation and begin serving standard web pages and ASP applications to the Internet. Assuming very low traffic (less than 25 visitors per day) and customary security settings and procedures, how much should I be concerned about having IIS and my Domain Controller on the same computer? Does your answer change if I enable the FTP server and begin forwarding the corresponding port?
>
> My reluctance is that I already have a workstation and a server for my personal use and only one Windows Server 2003 license. I am loathe to keep a third computer running Windows 2000 Advanced Server just to be a domain controller, but would consider it depending on the level of alarm presented in the resposes to this post.
>
> Any advice is greatly appreciated.
>
> carl