>From: Jim Kenzig <jimkenz@xxxxxxxxxxxxxx> >Reply-To: windows2000@xxxxxxxxxxxxx >To: windows2000@xxxxxxxxxxxxx >Subject: [windows2000] Re: IIS on a domain controller >Date: Fri, 6 Sep 2002 11:30:46 -0400 Nope, because all our services are advertised as being available from the Internet. You can map drives, print to printers, the whole nine yards. Dan, at an undisclosed location > > >Surely you can at least use a software firewall like Blackice or Zonealarm >or Tiny. >JK > >-----Original Message----- >From: windows2000-bounce@xxxxxxxxxxxxx >[mailto:windows2000-bounce@xxxxxxxxxxxxx]On Behalf Of Daniel Angelucci >Sent: Friday, September 06, 2002 11:19 AM >To: windows2000@xxxxxxxxxxxxx >Subject: [windows2000] Re: IIS on a domain controller > > > >Where I work, we have no firewall, no NAT, no nothing. As a result, our >DCs >are live on the Internet. There are a million implications and things to >watch for when doing this. Basically, security becomes much closer to a >full time job for an 2k admin. There's a great document from SANS about >securing Win2k which you can order at www.sans.org. > >Also, you can expect a lot of downtime because you will be patching your >servers constantly. Most of the optional security patches are not optional >when you are in the DMZ. Finally, the only way to truly secure a Internet >live DC (IMO) is using Kerberos authentication and only Kerberos >authentication. In addition, you would want to REQUIRE secure >communication >between your clients and the server. This means no legacy clients and no >trusts to NT 4 domains. > >If I could, I would move my DCs behind a firewall tomorrow. I don't have >the option and I get attacked a lot. Just two days ago I had to call >Comcast security to get some !@#$%#!@ hacker removed from the Internet. >It's not always fun, and it is a lot of work. > >Just my $.02 > >Dan > > > >From: Aaron Dokey <adokey@xxxxxxxxxxxx> > >Reply-To: windows2000@xxxxxxxxxxxxx > >To: "'windows2000@xxxxxxxxxxxxx'" <windows2000@xxxxxxxxxxxxx> > >Subject: [windows2000] IIS on a domain controller > >Date: Fri, 6 Sep 2002 10:39:04 -0400 > > > > > >I know that it's a generally accepted bad practice... Here is the > >situation. > > > >I've got a DMZ with it's own NT4 domain, and currently the domain > >controllers are very old and slow machines (Original Pentium's, ~64MB > >Memory). The DC's work out just fine for now, that's all they're doing >and > >the load is very light. However, I'm planning an AD migration and would > >like to extend that to this domain by making it a tree within our new > >forest. The only machines I've got that are capable of running win2k >with > >any sort of speed are the servers in the DMZ themselves. So, what >exactly > >are the security implications of making one of the less used IIS boxes a >DC > >for the DMZ? Please keep in mind that it will also have trusts back into > >our production domains outside of the DMZ. > > > >I don't think that I'm going to be able to purchase new hardware to serve > >as > >domain controllers to get this done. Money is just too tight right now. > > > >Thanks, > >Aaron > > > >----------------------- > >Aaron Dokey - MIS > >Reid Tool Supply > >2265 Black Creek Rd. > >Muskegon, MI 49444 > >(231) 777-3951 > >(231) 767-3772 (Direct) > >----------------------- > > > >================================== > >To Unsubscribe, set digest or vacation > >mode or view archives use the below link. > > > >http://thethin.net/win2000list.cfm > > > > >_________________________________________________________________ >MSN Photos is the easiest way to share and print your photos: >http://photos.msn.com/support/worldwide.aspx > > >================================== >To Unsubscribe, set digest or vacation >mode or view archives use the below link. > >http://thethin.net/win2000list.cfm > >================================== >To Unsubscribe, set digest or vacation >mode or view archives use the below link. > >http://thethin.net/win2000list.cfm _________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com ================================== To Unsubscribe, set digest or vacation mode or view archives use the below link. http://thethin.net/win2000list.cfm