[windows2000] Re: IIS on a domain controller

  • From: "Richards, Brian" <brichard@xxxxxxxxxxxx>
  • To: "'windows2000@xxxxxxxxxxxxx'" <windows2000@xxxxxxxxxxxxx>
  • Date: Fri, 6 Sep 2002 11:52:20 -0400

I was gonna say - at home I'm using the free (for a year) McAfee firewall
that Comcast high speed internet gives to its customers (to put something
between our DSL and the WWW).

-----Original Message-----
From: Jim Kenzig [mailto:jimkenz@xxxxxxxxxxxxxx]
Sent: Friday, September 06, 2002 11:31 AM
To: windows2000@xxxxxxxxxxxxx
Subject: [windows2000] Re: IIS on a domain controller

Surely you can at least use a software firewall like Blackice or Zonealarm
or Tiny.

-----Original Message-----
From: windows2000-bounce@xxxxxxxxxxxxx
[mailto:windows2000-bounce@xxxxxxxxxxxxx]On Behalf Of Daniel Angelucci
Sent: Friday, September 06, 2002 11:19 AM
To: windows2000@xxxxxxxxxxxxx
Subject: [windows2000] Re: IIS on a domain controller

Where I work, we have no firewall, no NAT, no nothing.  As a result, our DCs
are live on the Internet.  There are a million implications and things to
watch for when doing this.  Basically, security becomes much closer to a
full time job for an 2k admin.  There's a great document from SANS about
securing Win2k which you can order at www.sans.org.

Also, you can expect a lot of downtime because you will be patching your
servers constantly.  Most of the optional security patches are not optional
when you are in the DMZ.  Finally, the only way to truly secure a Internet
live DC (IMO) is using Kerberos authentication and only Kerberos
authentication.  In addition, you would want to REQUIRE secure communication
between your clients and the server.  This means no legacy clients and no
trusts to NT 4 domains.

If I could, I would move my DCs behind a firewall tomorrow.  I don't have
the option and I get attacked a lot.  Just two days ago I had to call
Comcast security to get some !@#$%#!@ hacker removed from the Internet.
It's not always fun, and it is a lot of work.

Just my $.02


To Unsubscribe, set digest or vacation
mode or view archives use the below link.


Other related posts: