Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Colin Stefani (cstefanitideworks.com)
Date: Tue Dec 18 2001 - 11:05:12 CST
First off, don't do it because they say it's the only way, we all know
there's more than one way to do anything and I think you realize it's a
security risk, otherwise you wouldn't be asking. The obvious security issues
aside here, there are some things which need more information from your
developer's, you may want to ask this just to get a sense of what they
intend to do, as I'm not really sure myself based on the info you provided:
1) Is the location where this domain/IIS machine will live a DMZ? (this is
more your territory)
2) Are they planning any trust relationships between this AD domain and any
thing else (like the internal network)? If so, not a good idea. Usually
security and ease of management have to favor one over the other.
3) What specific features of IIS and AD do your developers really need to
4) What type of web application is it? Is it for the general public to use?
Or for employees or business partners?
5) Have they thought out the security beyond just assuming you will provide
it with the firewall? Firewall's are great but it can't stop poor security
in an application.
I would suggest you approach your developers with the idea that they do
research to find ways to create their application without a domain, it can
be done. And also have them look at each function of the application to see
if there is an alternate way to do the functions which require AD, there
My $0.02 EUR,
From: Happy Harry [mailto:happy_harry200hotmail.com]
Sent: Tuesday, December 18, 2001 2:19 AM
Subject: Active Directory+IIS
I am looking for some information on running Active directory on an Internet
facing IIS box! The IIS box is sat behind Firewall 1, but the developers
wish to use Active directory to allow features on the web site.
Is this wise?
As the Firewall administrator I am seeing all the things you would expect
from a W2K domain controller (DNS etc)...
The set up is not currently connected to a live network so no production
equipment is exposed but the opportunity for defacement etc is something we
would rather avoid!!
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.