|
Home > Archive > IIS Server Security > November 2004 > IIS6 in a DMZ with Win2K AD and Non MS Firewalls
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
IIS6 in a DMZ with Win2K AD and Non MS Firewalls
|
|
|
| Hello all,
I have been trawling round the net most of today and I am struggling to come
up with an agreed best practice for securing an IIS6 server that is based in
a DMZ, with a Win2K Active Directory.
I have several concerns:
What are peoples views on best practice for Firewalls (non MS). In a DMZ the
internal side of the firewall presumably has to have the relevant AD ports
open if I want the IIS6 machine to be able to participate in the domain, but
is it secure?
I mean if the IIS6 box was compromised then it would be fairly easy to work
out which ports to to look on for access through the firewall to the AD. Is
it even sensible to make the IIS6 machine part of the domain, after all it
will be hosting a public website, so I have no real need to authenticate to
the AD. I guess the only advantage of being a member of the domain is for
Group Policies etc, but perhaps its better to apply security policies by hand?
Secondly
The MS IIS6 Hardening docs I have looked at expect a 2003 member server
security baseline to have already been applied, but obviously if I decide to
make the iis6 machine standalone then I will not be able to apply it? And if
I do make it a member of the domain then it will still not be relevant as all
the DC's are Win2K?!
Some help and advice would be greatly appreciated!
Cheers
Nick
| |
| Jeff Cochran 2004-11-17, 5:50 pm |
| On Wed, 17 Nov 2004 09:05:07 -0800, "Nick"
<Nick@discussions.microsoft.com> wrote:
>I have been trawling round the net most of today and I am struggling to come
>up with an agreed best practice for securing an IIS6 server that is based in
>a DMZ, with a Win2K Active Directory.
>I have several concerns:
>
>What are peoples views on best practice for Firewalls (non MS). In a DMZ the
>internal side of the firewall presumably has to have the relevant AD ports
>open if I want the IIS6 machine to be able to participate in the domain, but
>is it secure?
>I mean if the IIS6 box was compromised then it would be fairly easy to work
>out which ports to to look on for access through the firewall to the AD. Is
>it even sensible to make the IIS6 machine part of the domain, after all it
>will be hosting a public website, so I have no real need to authenticate to
>the AD. I guess the only advantage of being a member of the domain is for
>Group Policies etc, but perhaps its better to apply security policies by hand?
>
>Secondly
>The MS IIS6 Hardening docs I have looked at expect a 2003 member server
>security baseline to have already been applied, but obviously if I decide to
>make the iis6 machine standalone then I will not be able to apply it? And if
>I do make it a member of the domain then it will still not be relevant as all
>the DC's are Win2K?!
>
>Some help and advice would be greatly appreciated!
Never make any system that faces outward a part of a domain or use AD
on it (unless forced to for other reasons, like the boss says to).
Stand alone server only. You don't need group policies and everything
is available through simple TCP/IP in *most* cases.
Jeff
| |
|
| Hi Jeff,
Thanks that sounds like good advice! In that case does anyone have a good
guide to hardening a standalone IIS6 server?
Cheers
Nick
"Jeff Cochran" wrote:
> On Wed, 17 Nov 2004 09:05:07 -0800, "Nick"
> <Nick@discussions.microsoft.com> wrote:
>
>
>
> Never make any system that faces outward a part of a domain or use AD
> on it (unless forced to for other reasons, like the boss says to).
> Stand alone server only. You don't need group policies and everything
> is available through simple TCP/IP in *most* cases.
>
> Jeff
>
| |
| Karl Levinson, mvp 2004-11-18, 7:47 am |
| Agree with Jeff's advice. If you open up AD and Windows networking from the
DMZ web server to the internal domain, you might as well not have a firewall
at all. A hacker who compromises the web server then easily has access to
the rest of the domain.
hardening IIS6:
www.microsoft.com/technet/security
www.microsoft.com/windows
"Nick" <Nick@discussions.microsoft.com> wrote in message
news:2D651403-EA57-44DB-B782-AB351AEEFB6D@microsoft.com...[vbcol=seagreen]
> Hi Jeff,
>
> Thanks that sounds like good advice! In that case does anyone have a good
> guide to hardening a standalone IIS6 server?
> Cheers
> Nick
>
> "Jeff Cochran" wrote:
>
come[vbcol=seagreen]
based in[vbcol=seagreen]
DMZ the[vbcol=seagreen]
ports[vbcol=seagreen]
domain, but[vbcol=seagreen]
work[vbcol=seagreen]
AD. Is[vbcol=seagreen]
it[vbcol=seagreen]
authenticate to[vbcol=seagreen]
for[vbcol=seagreen]
by hand?[vbcol=seagreen]
decide to[vbcol=seagreen]
And if[vbcol=seagreen]
as all[vbcol=seagreen]
| |
| Andrew McCall 2004-11-18, 7:47 am |
| jeff.nospam@zina.com (Jeff Cochran) wrote in message news:<41a0cd25.1650192671@msnews.microsoft.com>...
> On Wed, 17 Nov 2004 09:05:07 -0800, "Nick"
> <Nick@discussions.microsoft.com> wrote:
>
>
> Never make any system that faces outward a part of a domain or use AD
> on it (unless forced to for other reasons, like the boss says to).
> Stand alone server only. You don't need group policies and everything
> is available through simple TCP/IP in *most* cases.
Would it be considered ok to create a second AD domain for machines in
the DMZ, then use the domain to apply group policies, run an SUS
server etc. on the "unsecure" servers in the DMZ. If you did this you
could also set up a one way trust to the secure domain.
Any comments?
Thanks,
Andrew McCall
| |
|
| Hi,
Andrew has a good point that a standalone machine then becomes more
difficult to manage, and what about a webfarm of more machines, all security
patches etc would have to be done by hand?
The documents on the Microsoft site all expect the IIS6 server to be part of
a domain. They all start off with "apply the member server baseline security
template before starting on hardening off IIS"
Presumambly I cannot do this if the machine is not a member server!?
As an aside, what are the feelings on IIS6, is it secure out of the box?
"Andrew McCall" wrote:
> jeff.nospam@zina.com (Jeff Cochran) wrote in message news:<41a0cd25.1650192671@msnews.microsoft.com>...
>
> Would it be considered ok to create a second AD domain for machines in
> the DMZ, then use the domain to apply group policies, run an SUS
> server etc. on the "unsecure" servers in the DMZ. If you did this you
> could also set up a one way trust to the secure domain.
>
> Any comments?
>
> Thanks,
>
> Andrew McCall
>
| |
| Jeff Cochran 2004-11-18, 5:51 pm |
| On Thu, 18 Nov 2004 02:18:01 -0800, "Nick"
<Nick@discussions.microsoft.com> wrote:
>Thanks that sounds like good advice! In that case does anyone have a good
>guide to hardening a standalone IIS6 server?
In addition to Karl's sites for hardening, the CYA Securing IIS 6 book
is very good for this.
Jeff
[vbcol=seagreen]
| |
| Jeff Cochran 2004-11-18, 5:51 pm |
| On 18 Nov 2004 05:51:14 -0800, andrew.mccall@gmail.com (Andrew McCall)
wrote:
>jeff.nospam@zina.com (Jeff Cochran) wrote in message news:<41a0cd25.1650192671@msnews.microsoft.com>...
>
>Would it be considered ok to create a second AD domain for machines in
>the DMZ, then use the domain to apply group policies, run an SUS
>server etc. on the "unsecure" servers in the DMZ. If you did this you
>could also set up a one way trust to the secure domain.
>
>Any comments?
That's better than joining an internal domain, but you still have AD
as another avenue of attack, and trusts between domains usually imply
Microsoft Networking ports being opened.
All this naturally depends on your organization and needs. If you
have two servers in a DMZ then a domain to manage them doesn't offer
much improvement. If you had 350 servers in your DMZ, you'd want a
domian, or maybe several to handle management functions.
I'm personally a minimalist. If you can't overwhelmingly justify
running something, don't. Our DMZ servers are all stand alone, and
only run the specific services needed by that server. We have no file
shares, everything is transferred by FTP or SSH. Fewer potential
holes equals less places to screw up. 
Jeff
| |
| Jeff Cochran 2004-11-18, 5:51 pm |
| On Thu, 18 Nov 2004 06:59:14 -0800, "Nick"
<Nick@discussions.microsoft.com> wrote:
>Andrew has a good point that a standalone machine then becomes more
>difficult to manage, and what about a webfarm of more machines, all security
>patches etc would have to be done by hand?
>
>The documents on the Microsoft site all expect the IIS6 server to be part of
>a domain. They all start off with "apply the member server baseline security
>template before starting on hardening off IIS"
That's true. And there are definite positives to a domain in terms of
management. But everything you do to ease management also eases the
job of a hacker as well.
>Presumambly I cannot do this if the machine is not a member server!?
I've never tried.
>As an aside, what are the feelings on IIS6, is it secure out of the box?
Nothing is secure out of the box, and everything becomes insecure when
added to an environment with insecure pieces. But that doesn't mean
there's a lot of hardening you have to do. For example, if you only
open port 80 in your firewall to the DMZ, you may not need to worry
about an SMTP server getting hacked as much.
Overall, it's a lot more secure than its predecessors. Services start
turned off or locked down and you have to allow them, such as ASP.
But an admin that didn't know how to shut the holes is just as likely
to open them without realizing it when they start shut.
Jeff
[vbcol=seagreen]
>"Andrew McCall" wrote:
>
|
|
|
|
|