lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed Sep 28 21:23:34 2005
From: mlsecurity at lab42.ch (Reto Inversini)
Subject: Re: Active Directory and IIS on production
	servers, and clustering

Hi,

Derick Anderson schrieb:
> The company I work for (as the only systems administrator) is
> considering a new implementation of their web-based software. To support
> this we will be splitting our single domain into two domains, one for
> production servers and one for employee support (file servers and
> employee workstations). We'll be using at least two IIS servers as a
> front-end to a custom-built service in the production domain.

<...>

> 
> 1. Separation of roles is essential to security as well as reliability.
> 2. Highly sensitive services such as internal DNS and Active Directory
> should never reside on a publicly accessible server.

Yep. Another thing is, that you should harden your system. The more
services are needed the more complicated a system hardening (and
debugging, if something breaks) is. The more services are running, the
bigger the exposure is.

> 3. In general, web applications are the biggest attack surface of any
> organization in terms of threat volume and relative ease of
> exploitation.

Perfectly right. And they are also a good target for (D)DOS attacks ...
And you could also argument by the need of a network segmentation. A
publicly available webserver belongs in a DMZ.

> I'd appreciate any thoughts on this as I am fighting to follow best
> practices in our server environments. I've been reading the Windows
> Server 2003 Security Guide which unfortunately lacks the "Never ever
> have your production IIS servers be domain controllers" statement but
> implies Reasons #1 and #2 with its approach to server hardening.

If you don't want to buy hardware, but invest a little bit in software,
you could consider using VMWare or Virtual Server to build up your
environment. But of course, if you do that, you have to trust the
virtualization techniques :-)

> My second question has to do with clustering: we plan to eventually
> cluster the IIS servers. What impact does that have on Active Directory
> services?

Don't do it - clustered webservers are a pain in the ass. If you want to
gain flexibility and availability use a dedicated load balancer.
Clustering a webserver just adds another level of complexity.

> Thanks,
> 
> Derick Anderson

Regards
Reto Inversini

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ