Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Active Directory and IIS on production servers, and clustering

From: Reto Inversini <mlsecurity () lab42 ch>
Date: Wed, 28 Sep 2005 22:23:21 +0200
Hi,

Derick Anderson schrieb:

The company I work for (as the only systems administrator) is
considering a new implementation of their web-based software. To support
this we will be splitting our single domain into two domains, one for
production servers and one for employee support (file servers and
employee workstations). We'll be using at least two IIS servers as a
front-end to a custom-built service in the production domain.


<...>



1. Separation of roles is essential to security as well as reliability.
2. Highly sensitive services such as internal DNS and Active Directory
should never reside on a publicly accessible server.


Yep. Another thing is, that you should harden your system. The more
services are needed the more complicated a system hardening (and
debugging, if something breaks) is. The more services are running, the
bigger the exposure is.


3. In general, web applications are the biggest attack surface of any
organization in terms of threat volume and relative ease of
exploitation.


Perfectly right. And they are also a good target for (D)DOS attacks ...
And you could also argument by the need of a network segmentation. A
publicly available webserver belongs in a DMZ.


I'd appreciate any thoughts on this as I am fighting to follow best
practices in our server environments. I've been reading the Windows
Server 2003 Security Guide which unfortunately lacks the "Never ever
have your production IIS servers be domain controllers" statement but
implies Reasons #1 and #2 with its approach to server hardening.


If you don't want to buy hardware, but invest a little bit in software,
you could consider using VMWare or Virtual Server to build up your
environment. But of course, if you do that, you have to trust the
virtualization techniques :-)


My second question has to do with clustering: we plan to eventually
cluster the IIS servers. What impact does that have on Active Directory
services?


Don't do it - clustered webservers are a pain in the ass. If you want to
gain flexibility and availability use a dedicated load balancer.
Clustering a webserver just adds another level of complexity.


Thanks,

Derick Anderson


Regards
Reto Inversini

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: