IIS Server Security - MS Incident Response Plan

Author

MS Incident Response Plan

softtrain

2006-06-21, 1:31 am

According to a white paper entitled MS Incident Response Plan, MS states that
you should never load IIS on a domain controller. Does anyone have any
experience with a fully updated windows 2003 server and a fully updated IIS
install having security problems?

Thanks,
--
P Cully

Ken Schaefer

2006-06-21, 1:31 am

There are no "known" security issues, otherwise every SBS box for example,
would be hacked within seconds.

The issue is around "risk management". Your domain controllers hold the
"keys to the castle" (i.e your domain). The more services you run on a DC,
the more potential exploits exist on your DC. It could be a flaw in IIS, or
it could be a flaw in the application you run ontop of IIS. However, once
your server is compromised, your entire domain is compromised. On the other
hand, if you run IIS on a separate member server, the attacker might control
the IIS box, but it's still another step to compromising the DC.

Cheers
Ken

"softtrain" <softtrain@discussions.microsoft.com> wrote in message
news:A95854CD-B768-4B05-9250-3396592002AA@microsoft.com...
> According to a white paper entitled MS Incident Response Plan, MS states
> that
> you should never load IIS on a domain controller. Does anyone have any
> experience with a fully updated windows 2003 server and a fully updated
> IIS
> install having security problems?
>
> Thanks,
> --
> P Cully

jigs4u4ever

2006-08-09, 1:27 pm

Hi,

Avoid whenever it is possible to run IIS on a domain controller. but if you
want here is the webcaste for the same

http://www.iis-resources.com/module...?cid=29&lid=211

Thanks & Regards
Jigs4u_4ever

"softtrain" wrote:

> According to a white paper entitled MS Incident Response Plan, MS states that
> you should never load IIS on a domain controller. Does anyone have any
> experience with a fully updated windows 2003 server and a fully updated IIS
> install having security problems?
>
> Thanks,
> --
> P Cully