[windows2000] Re: IIS on a domain controller

• From: "Daniel Angelucci" <daniel_angelucci@xxxxxxxxxxx>
• To: windows2000@xxxxxxxxxxxxx
• Date: Fri, 06 Sep 2002 13:30:19 -0400

>From: Jim Kenzig <jimkenz@xxxxxxxxxxxxxx>
>Reply-To: windows2000@xxxxxxxxxxxxx
>To: windows2000@xxxxxxxxxxxxx
>Subject: [windows2000] Re: IIS on a domain controller
>Date: Fri, 6 Sep 2002 11:30:46 -0400
Nope, because all our services are advertised as being available from the 
Internet.  You can map drives, print to printers, the whole nine yards.

Dan, at an undisclosed location

>
>
>Surely you can at least use a software firewall like Blackice or Zonealarm
>or Tiny.
>JK
>
>-----Original Message-----
>From: windows2000-bounce@xxxxxxxxxxxxx
>[mailto:windows2000-bounce@xxxxxxxxxxxxx]On Behalf Of Daniel Angelucci
>Sent: Friday, September 06, 2002 11:19 AM
>To: windows2000@xxxxxxxxxxxxx
>Subject: [windows2000] Re: IIS on a domain controller
>
>
>
>Where I work, we have no firewall, no NAT, no nothing.  As a result, our 
>DCs
>are live on the Internet.  There are a million implications and things to
>watch for when doing this.  Basically, security becomes much closer to a
>full time job for an 2k admin.  There's a great document from SANS about
>securing Win2k which you can order at www.sans.org.
>
>Also, you can expect a lot of downtime because you will be patching your
>servers constantly.  Most of the optional security patches are not optional
>when you are in the DMZ.  Finally, the only way to truly secure a Internet
>live DC (IMO) is using Kerberos authentication and only Kerberos
>authentication.  In addition, you would want to REQUIRE secure 
>communication
>between your clients and the server.  This means no legacy clients and no
>trusts to NT 4 domains.
>
>If I could, I would move my DCs behind a firewall tomorrow.  I don't have
>the option and I get attacked a lot.  Just two days ago I had to call
>Comcast security to get some !@#$%#!@ hacker removed from the Internet.
>It's not always fun, and it is a lot of work.
>
>Just my $.02
>
>Dan
>
>
> >From: Aaron Dokey <adokey@xxxxxxxxxxxx>
> >Reply-To: windows2000@xxxxxxxxxxxxx
> >To: "'windows2000@xxxxxxxxxxxxx'" <windows2000@xxxxxxxxxxxxx>
> >Subject: [windows2000] IIS on a domain controller
> >Date: Fri, 6 Sep 2002 10:39:04 -0400
> >
> >
> >I know that it's a generally accepted bad practice...  Here is the
> >situation.
> >
> >I've got a DMZ with it's own NT4 domain, and currently the domain
> >controllers are very old and slow machines (Original Pentium's, ~64MB
> >Memory).  The DC's work out just fine for now, that's all they're doing 
>and
> >the load is very light.  However, I'm planning an AD migration and would
> >like to extend that to this domain by making it a tree within our new
> >forest.  The only machines I've got that are capable of running win2k 
>with
> >any sort of speed are the servers in the DMZ themselves.  So, what 
>exactly
> >are the security implications of making one of the less used IIS boxes a 
>DC
> >for the DMZ?  Please keep in mind that it will also have trusts back into
> >our production domains outside of the DMZ.
> >
> >I don't think that I'm going to be able to purchase new hardware to serve
> >as
> >domain controllers to get this done.  Money is just too tight right now.
> >
> >Thanks,
> >Aaron
> >
> >-----------------------
> >Aaron Dokey - MIS
> >Reid Tool Supply
> >2265 Black Creek Rd.
> >Muskegon, MI   49444
> >(231) 777-3951
> >(231) 767-3772 (Direct)
> >-----------------------
> >
> >==================================
> >To Unsubscribe, set digest or vacation
> >mode or view archives use the below link.
> >
> >http://thethin.net/win2000list.cfm
>
>
>
>
>_________________________________________________________________
>MSN Photos is the easiest way to share and print your photos:
>http://photos.msn.com/support/worldwide.aspx
>
>
>==================================
>To Unsubscribe, set digest or vacation
>mode or view archives use the below link.
>
>http://thethin.net/win2000list.cfm
>
>==================================
>To Unsubscribe, set digest or vacation
>mode or view archives use the below link.
>
>http://thethin.net/win2000list.cfm




_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com


==================================
To Unsubscribe, set digest or vacation
mode or view archives use the below link.

http://thethin.net/win2000list.cfm

Other related posts:

• » [windows2000] IIS on a domain controller
• » [windows2000] Re: IIS on a domain controller
• » [windows2000] Re: IIS on a domain controller
• » [windows2000] Re: IIS on a domain controller
• » [windows2000] Re: IIS on a domain controller
• » [windows2000] Re: IIS on a domain controller
• » [windows2000] Re: IIS on a domain controller
• » [windows2000] Re: IIS on a domain controller

1. Home
2. windows2000
3. Archive
4. 09-2002

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---