OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Colin Stefani (cstefanitideworks.com)
Date: Tue Dec 18 2001 - 11:05:12 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    First off, don't do it because they say it's the only way, we all know
    there's more than one way to do anything and I think you realize it's a
    security risk, otherwise you wouldn't be asking. The obvious security issues
    aside here, there are some things which need more information from your
    developer's, you may want to ask this just to get a sense of what they
    intend to do, as I'm not really sure myself based on the info you provided:

    1) Is the location where this domain/IIS machine will live a DMZ? (this is
    more your territory)
    2) Are they planning any trust relationships between this AD domain and any
    thing else (like the internal network)? If so, not a good idea. Usually
    security and ease of management have to favor one over the other.
    3) What specific features of IIS and AD do your developers really need to
    use? Why?
    4) What type of web application is it? Is it for the general public to use?
    Or for employees or business partners?
    5) Have they thought out the security beyond just assuming you will provide
    it with the firewall? Firewall's are great but it can't stop poor security
    in an application.

    I would suggest you approach your developers with the idea that they do
    research to find ways to create their application without a domain, it can
    be done. And also have them look at each function of the application to see
    if there is an alternate way to do the functions which require AD, there
    always is.

    My $0.02 EUR,

    colin

    -----Original Message-----
    From: Happy Harry [mailto:happy_harry200hotmail.com]
    Sent: Tuesday, December 18, 2001 2:19 AM
    To: focus-mssecurityfocus.com
    Subject: Active Directory+IIS

    Hi There

    I am looking for some information on running Active directory on an Internet

    facing IIS box! The IIS box is sat behind Firewall 1, but the developers
    wish to use Active directory to allow features on the web site.

    Is this wise?

    As the Firewall administrator I am seeing all the things you would expect
    from a W2K domain controller (DNS etc)...

    The set up is not currently connected to a live network so no production
    equipment is exposed but the opportunity for defacement etc is something we
    would rather avoid!!

    Many thanks.....

    _________________________________________________________________
    Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.