List Archives

This forum is an archive of all posts to our mailing list over the past few years. The forum is set read only therefore to contribute you will need to join our list community. See more info about this here.

When subscribed to the list you should use your standard email client to send your posts to ActiveDir@mail.activedir.org.

List Archives

Unanswered Active Topics

Forums Search

Forums >ActiveDir Mail List Archive >List Archives

Subject: [ActiveDir] [OT ... ish] Publicly accessible IIS server on AD

Prev Next

You are not authorized to post a reply.

Author

Messages

y2k

Posts:41

06/04/2010 7:47 AM
Hi all we have a 2008 web server which will be running IIS shortly. The web app will be installed by a 3rd party so I dont know the exact details of how it'll work as yet. The server will be accessible from the Internet (no authentication to access) so I'm a little worried about joining it to our domain. From a managabikity point of view, I want to join it to the domain. But I'm concerned that any vulnerabilitues in IIS could end up with serious consequences (AD data leakage etc) I've tried googling yhis but so far not come up with anything for or against doing it. Does anybody have any advice on this ? Or any links on best practices ? Unfortunately creating a separate domain for just this server isn't an option at the moment Thanks M

Bitzie

Posts:251

06/04/2010 4:53 PM
Vulnerabilities in IIS was circa Windows 2000. Honestly IIS has been rock solid since then. R2 or non R2 btw? As a person who runs IIS along with the kitchen sink on our DCs, the "vulnerabilities" these days come in with the applications (cross site scripting etc), not the native IIS. There's a security configuration wizard on the box as well as check out the benchmarks from www.cisecurity.org. If you have WSUS in your domain you already have an IIS site domain joined. I'd say the risk here comes from that third party, not IIS natively. It's what they do to the box in the way of permissions, app pool settings, etc that will impact you. I'd ask over on the IIS forums as well. martin wrote: > Hi all > > we have a 2008 web server which will be running IIS shortly. The web > app will be installed by a 3rd party so I dont know the exact details > of how it'll work as yet. The server will be accessible from the > Internet (no authentication to access) so I'm a little worried about > joining it to our domain. From a managabikity point of view, I want to > join it to the domain. But I'm > concerned that any vulnerabilitues in IIS could end up with serious > consequences (AD data leakage etc) > > I've tried googling yhis but so far not come up with anything for or > against doing it. Does anybody have any advice on this ? Or any links > on best practices ? > > Unfortunately creating a separate domain for just this server isn't an > option at the moment > > Thanks > M > > >

aansari

Posts:67

06/07/2010 2:42 AM
I would be careful of not using any high privileged account (as a service or task) on that IIS. Also, make sure the app is not doing so either and block all other ports to this server other than http (https if thats required). Other than that, I dont see any issues. On Fri, Jun 4, 2010 at 10:51 AM, Susan Bradley <susan@sbslinks.com> wrote: > Vulnerabilities in IIS was circa Windows 2000. Honestly IIS has been rock > solid since then. > > R2 or non R2 btw? > > As a person who runs IIS along with the kitchen sink on our DCs, the > "vulnerabilities" these days come in with the applications (cross site > scripting etc), not the native IIS. > > There's a security configuration wizard on the box as well as check out the > benchmarks from www.cisecurity.org. > > If you have WSUS in your domain you already have an IIS site domain joined. > > I'd say the risk here comes from that third party, not IIS natively. It's > what they do to the box in the way of permissions, app pool settings, etc > that will impact you. > > I'd ask over on the IIS forums as well. > > > > martin wrote: > >> Hi all >> >> we have a 2008 web server which will be running IIS shortly. The web >> app will be installed by a 3rd party so I dont know the exact details >> of how it'll work as yet. The server will be accessible from the >> Internet (no authentication to access) so I'm a little worried about >> joining it to our domain. From a managabikity point of view, I want to >> join it to the domain. But I'm >> concerned that any vulnerabilitues in IIS could end up with serious >> consequences (AD data leakage etc) >> >> I've tried googling yhis but so far not come up with anything for or >> against doing it. Does anybody have any advice on this ? Or any links >> on best practices ? >> >> Unfortunately creating a separate domain for just this server isn't an >> option at the moment >> >> Thanks >> M >> >> >> >> > > -- Adeel Ansari

You are not authorized to post a reply.

Forums >ActiveDir Mail List Archive >List Archives > [ActiveDir] [OT ... ish] Publicly accessible IIS server on AD

ActiveForums 3.7

Syndicate

Friends

List Archives

List Archives

Friends

Members

Articles

Related Links

Ads