[windows2000] Re: IIS on a domain controller

  • From: "Daniel Angelucci" <daniel_angelucci@xxxxxxxxxxx>
  • To: windows2000@xxxxxxxxxxxxx
  • Date: Fri, 06 Sep 2002 13:36:15 -0400

If you know the NBT clients that you want to communicate with, you can 
create IPSec policies to ensure that only those clients can communicate.

I don't know if there are concrete examples I can give you as to why this is 
bad, but the risk factor is definitely extreme.  Our web servers are, more 
or less, throw aways.  That is, there is nothing vital on IIS that isn't 
redundant is some easily failed-over way.  I guess I just figure sooner or 
later, we're going to get cracked.

I mean, think of all the MS security bulletins which have as a result of the 
exploit, the attacker gaining control of the machine.  If it's a DC, they 
have control of your domain.  Do you believe M$ has really managed to patch 
all the flaws that allow attackers to control a machine?  Do you believe M$ 
can get the patch to you before the hackers run the exploit?

Security is about layers; to remove a layer, especially one this important, 
is to invite problems, IMO.

Dan


>From: Aaron Dokey <adokey@xxxxxxxxxxxx>
>Reply-To: windows2000@xxxxxxxxxxxxx
>To: "'windows2000@xxxxxxxxxxxxx'" <windows2000@xxxxxxxxxxxxx>
>Subject: [windows2000] Re: IIS on a domain controller
>Date: Fri, 6 Sep 2002 11:54:10 -0400
>
>
>I'm more than used to microsoft patch cycle, everything exists already out
>there... I just need/want to get converted to an AD domain and don't have
>the extra hardware.  Running IIS of any version is a full-time job, that's
>for dang sure.
>
>There is in fact, no clients other than web clients, and they will not be
>doing anything other than regular HHTP auth over SSL.  The only machines
>that have direct access to these machines without any kind of nat or
>firewall are the other machines in the DMZ themselves.  I shoot anything
>with a shotgun if it's placed in the DMZ without my knowledge.  :)
>
>My concerns are more with web/http based attacks, i.e. what additional
>things does this make easier to compromise?  I assume that my production
>DC's on other subnets would then be vulnerable somehow because of the 
>trusts
>between the domains.  But is there a way I can limit this?  A beef I've
>always had with MS is that in order for domain trusts to work you had to
>open up NBT between servers and you couldn't pick and choose, say turn file
>sharing off and leave just the ability to verify authentication.  If there
>was a way, I never found it.  But, with AD does this change?  I would 
>assume
>that I could just allow kerberos between my DC's and leave NBT out of the
>mix completely.  That would help cut down on some of the risk.  Also,
>wouldn't it make it easier for a hacker to gain domain admin rights if they
>were attacking the DC itself?  Granted it's only the DMZ DC at that point,
>but that's still a problem.
>
>I'm looking for details on why not to do this, I know it's a bad 
>solution...
>But I would like to have some concrete examples.
>
>Thanks,
>Aaron
>
>-----------------------
>Aaron Dokey - MIS
>Reid Tool Supply
>2265 Black Creek Rd.
>Muskegon, MI   49444
>(231) 777-3951
>(231) 767-3772 (Direct)
>-----------------------
>
>-----Original Message-----
>From: Daniel Angelucci [mailto:daniel_angelucci@xxxxxxxxxxx]
>Sent: Friday, September 06, 2002 11:19 AM
>To: windows2000@xxxxxxxxxxxxx
>Subject: [windows2000] Re: IIS on a domain controller
>
>
>
>Where I work, we have no firewall, no NAT, no nothing.  As a result, our 
>DCs
>
>are live on the Internet.  There are a million implications and things to
>watch for when doing this.  Basically, security becomes much closer to a
>full time job for an 2k admin.  There's a great document from SANS about
>securing Win2k which you can order at www.sans.org.
>
>Also, you can expect a lot of downtime because you will be patching your
>servers constantly.  Most of the optional security patches are not optional
>when you are in the DMZ.  Finally, the only way to truly secure a Internet
>live DC (IMO) is using Kerberos authentication and only Kerberos
>authentication.  In addition, you would want to REQUIRE secure 
>communication
>
>between your clients and the server.  This means no legacy clients and no
>trusts to NT 4 domains.
>
>If I could, I would move my DCs behind a firewall tomorrow.  I don't have
>the option and I get attacked a lot.  Just two days ago I had to call
>Comcast security to get some !@#$%#!@ hacker removed from the Internet.
>It's not always fun, and it is a lot of work.
>
>Just my $.02
>
>Dan
>
>
> >From: Aaron Dokey <adokey@xxxxxxxxxxxx>
> >Reply-To: windows2000@xxxxxxxxxxxxx
> >To: "'windows2000@xxxxxxxxxxxxx'" <windows2000@xxxxxxxxxxxxx>
> >Subject: [windows2000] IIS on a domain controller
> >Date: Fri, 6 Sep 2002 10:39:04 -0400
> >
> >
> >I know that it's a generally accepted bad practice...  Here is the
> >situation.
> >
> >I've got a DMZ with it's own NT4 domain, and currently the domain
> >controllers are very old and slow machines (Original Pentium's, ~64MB
> >Memory).  The DC's work out just fine for now, that's all they're doing 
>and
> >the load is very light.  However, I'm planning an AD migration and would
> >like to extend that to this domain by making it a tree within our new
> >forest.  The only machines I've got that are capable of running win2k 
>with
> >any sort of speed are the servers in the DMZ themselves.  So, what 
>exactly
> >are the security implications of making one of the less used IIS boxes a 
>DC
> >for the DMZ?  Please keep in mind that it will also have trusts back into
> >our production domains outside of the DMZ.
> >
> >I don't think that I'm going to be able to purchase new hardware to serve
> >as
> >domain controllers to get this done.  Money is just too tight right now.
> >
> >Thanks,
> >Aaron
> >
> >-----------------------
> >Aaron Dokey - MIS
> >Reid Tool Supply
> >2265 Black Creek Rd.
> >Muskegon, MI   49444
> >(231) 777-3951
> >(231) 767-3772 (Direct)
> >-----------------------
> >
> >==================================
> >To Unsubscribe, set digest or vacation
> >mode or view archives use the below link.
> >
> >http://thethin.net/win2000list.cfm
>
>
>
>
>_________________________________________________________________
>MSN Photos is the easiest way to share and print your photos:
>http://photos.msn.com/support/worldwide.aspx
>
>
>==================================
>To Unsubscribe, set digest or vacation
>mode or view archives use the below link.
>
>http://thethin.net/win2000list.cfm
>
>==================================
>To Unsubscribe, set digest or vacation
>mode or view archives use the below link.
>
>http://thethin.net/win2000list.cfm




_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx


==================================
To Unsubscribe, set digest or vacation
mode or view archives use the below link.

http://thethin.net/win2000list.cfm

Other related posts: