IIS Server Security - workgroup vs domain recommendation

Author

workgroup vs domain recommendation

BLMuzzy

2006-06-16, 1:27 am

Does anyone know the pros & cons of having public servers in a workgroup vs
in a domain? My situation is I have a couple Win2003 IIS servers, a SQL
server, and a document mgmt server (SQL + doc storage) that's also an Active
Directory DC. The latter is used for LDAP validation of user logons. The
firewall rules are pretty tight and only allow https into the IIS boxes. My
question concerns the security of having the servers in 1 domain vs in 1
domain with the IIS & SQL boxes in a separate workgroup.

The domain is attractive for simplifying user accounts and implementing
group policies. But the risk is if someone hacks a password, it's valid all
over the domain, not just on one box.

thanks,
Bob

David Wang [Msft]

2006-06-16, 1:27 am

How about running the public servers in one public domain, your intranet
uses a second private domain, and only set up one-way trust between your
public and private domains so that you can use private domain account to
manipulate public servers (to prop out updates), but public accounts have no
rights on private domain machines.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

"BLMuzzy" <bob.muzzy@planitax.com> wrote in message
news:uBLqPMOkGHA.2436@TK2MSFTNGP03.phx.gbl...
> Does anyone know the pros & cons of having public servers in a workgroup
> vs in a domain? My situation is I have a couple Win2003 IIS servers, a SQL
> server, and a document mgmt server (SQL + doc storage) that's also an
> Active Directory DC. The latter is used for LDAP validation of user
> logons. The firewall rules are pretty tight and only allow https into the
> IIS boxes. My question concerns the security of having the servers in 1
> domain vs in 1 domain with the IIS & SQL boxes in a separate workgroup.
>
> The domain is attractive for simplifying user accounts and implementing
> group policies. But the risk is if someone hacks a password, it's valid
> all over the domain, not just on one box.
>
> thanks,
> Bob
>

BLMuzzy

2006-06-16, 1:31 pm

Humm. That sounds pretty intriguing; reasonable security plus no need for
duplicate user accounts. The issue of one ID/pwd accessing multiple boxes
remains but is probably minimized. thanks!

"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:%23UVBuuOkGHA.4284@TK2MSFTNGP05.phx.gbl...
> How about running the public servers in one public domain, your intranet
> uses a second private domain, and only set up one-way trust between your
> public and private domains so that you can use private domain account to
> manipulate public servers (to prop out updates), but public accounts have
> no rights on private domain machines.
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> //
>
> "BLMuzzy" <bob.muzzy@planitax.com> wrote in message
> news:uBLqPMOkGHA.2436@TK2MSFTNGP03.phx.gbl...
>
>

David Wang [Msft]

2006-06-16, 7:19 pm

No problems. Using multiple domains with one-way AD trust relationship is
standard solution for this.

This way, any DMZ exploits of DMZ Domain accounts stay in the DMZ, which by
definition are ok with this.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

"BLMuzzy" <bob.muzzy@planitax.com> wrote in message
news:eSLvB5VkGHA.4284@TK2MSFTNGP05.phx.gbl...
> Humm. That sounds pretty intriguing; reasonable security plus no need for
> duplicate user accounts. The issue of one ID/pwd accessing multiple boxes
> remains but is probably minimized. thanks!
>
>
> "David Wang [Msft]" <someone@online.microsoft.com> wrote in message
> news:%23UVBuuOkGHA.4284@TK2MSFTNGP05.phx.gbl...
>
>