[windows2000] Re: IIS on a domain controller
- From: Steven Peck DNET <speck@xxxxxxxxxxxx>
- To: "'windows2000@xxxxxxxxxxxxx'" <windows2000@xxxxxxxxxxxxx>
- Date: Fri, 6 Sep 2002 10:28:15 -0700
Surely you can find a firewal of some type.
If nothing else, the software firewalls like zonealarm.
Also, free (software) is a very full featured firewall that can run on a 486
or better and either boot from floppy or CDRom can be found at
www.leaf-project.org (Either the Dachenstein distribution or Bering).
-sp
-----Original Message-----
From: Daniel Angelucci [mailto:daniel_angelucci@xxxxxxxxxxx]
Sent: Friday, September 06, 2002 8:19 AM
To: windows2000@xxxxxxxxxxxxx
Subject: [windows2000] Re: IIS on a domain controller
Where I work, we have no firewall, no NAT, no nothing. As a result, our DCs
are live on the Internet. There are a million implications and things to
watch for when doing this. Basically, security becomes much closer to a
full time job for an 2k admin. There's a great document from SANS about
securing Win2k which you can order at www.sans.org.
Also, you can expect a lot of downtime because you will be patching your
servers constantly. Most of the optional security patches are not optional
when you are in the DMZ. Finally, the only way to truly secure a Internet
live DC (IMO) is using Kerberos authentication and only Kerberos
authentication. In addition, you would want to REQUIRE secure communication
between your clients and the server. This means no legacy clients and no
trusts to NT 4 domains.
If I could, I would move my DCs behind a firewall tomorrow. I don't have
the option and I get attacked a lot. Just two days ago I had to call
Comcast security to get some !@#$%#!@ hacker removed from the Internet.
It's not always fun, and it is a lot of work.
Just my $.02
Dan
>From: Aaron Dokey <adokey@xxxxxxxxxxxx>
>Reply-To: windows2000@xxxxxxxxxxxxx
>To: "'windows2000@xxxxxxxxxxxxx'" <windows2000@xxxxxxxxxxxxx>
>Subject: [windows2000] IIS on a domain controller
>Date: Fri, 6 Sep 2002 10:39:04 -0400
>
>
>I know that it's a generally accepted bad practice... Here is the
>situation.
>
>I've got a DMZ with it's own NT4 domain, and currently the domain
>controllers are very old and slow machines (Original Pentium's, ~64MB
>Memory). The DC's work out just fine for now, that's all they're doing and
>the load is very light. However, I'm planning an AD migration and would
>like to extend that to this domain by making it a tree within our new
>forest. The only machines I've got that are capable of running win2k with
>any sort of speed are the servers in the DMZ themselves. So, what exactly
>are the security implications of making one of the less used IIS boxes a DC
>for the DMZ? Please keep in mind that it will also have trusts back into
>our production domains outside of the DMZ.
>
>I don't think that I'm going to be able to purchase new hardware to serve
>as
>domain controllers to get this done. Money is just too tight right now.
>
>Thanks,
>Aaron
>
>-----------------------
>Aaron Dokey - MIS
>Reid Tool Supply
>2265 Black Creek Rd.
>Muskegon, MI 49444
>(231) 777-3951
>(231) 767-3772 (Direct)
>-----------------------
>
>==================================
>To Unsubscribe, set digest or vacation
>mode or view archives use the below link.
>
>http://thethin.net/win2000list.cfm
_________________________________________________________________
MSN Photos is the easiest way to share and print your photos:
http://photos.msn.com/support/worldwide.aspx
==================================
To Unsubscribe, set digest or vacation
mode or view archives use the below link.
http://thethin.net/win2000list.cfm
==================================
To Unsubscribe, set digest or vacation
mode or view archives use the below link.
http://thethin.net/win2000list.cfm
Other related posts:
