Hi,
We have a w2003 domain controller which also has IIS ans WSUS on it. Are
there any security implications with this setup or do you think it's better
if I install IIS and WSUS on a seperate server.
Thanks
Khizer
"Khizer"
news:57E987CE-0066-45C6-9972-C96D03CBB810@microsoft.com...
> Hi,
Hi
> We have a w2003 domain controller which also has IIS ans WSUS on it. Are
> there any security implications with this setup or do you think it's
> better
> if I install IIS and WSUS on a seperate server.
it's better for your security to separate iis web server and wsus server,
take a look here
http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/library/WSUS/WSUSDeploymentGuideTC/ac90c1de-9e04-46fd-b8a b-0bb4ab851546.mspx
--
Christian Paparelli
http://www.ithost.ch
"Khizer"
news:57E987CE-0066-45C6-9972-C96D03CBB810@microsoft.com...
> Hi,
>
> We have a w2003 domain controller which also has IIS ans WSUS on it. Are
> there any security implications with this setup or do you think it's
> better
> if I install IIS and WSUS on a seperate server.
>
> Thanks
>
> Khizer
As a guy that has suffered through this mistake done by the PHBs _TWICE_ I'd
say save yourself a boatload of pain and DO NOT DO IT.
Having the domain controller run your IIS takes away all sorts of ability to
run IIS effectively and can scatter all sorts of unused or damaged accounts
around your network.
Keep in mind, on a DC there are NO local accounts... and local accounts are
your bread and butter for IIS if you are even slightly interested in
security. Of course, once the next unknown remote exploit comes out you are
worrying about your entire network and domain admin accounts rather than a
machine that can be wiped and rebuilt easily.
Get a cheap box, use one of your old licenses for Win2k server instead.
ANYTHING but putting it on the DC is better. It might seem like it's a ploy
by MS to sell more licenses... but in this case they are dead on correct
about it.
thanks for the replies so far
I am trying to convince my manager that we should buy another server and
place IIS and WSUS on it, therefore keeping the original server as a domain
controller only.
"Ratatooie" wrote:
>
> "Khizer"
> news:57E987CE-0066-45C6-9972-C96D03CBB810@microsoft.com...
> > Hi,
> >
> > We have a w2003 domain controller which also has IIS ans WSUS on it. Are
> > there any security implications with this setup or do you think it's
> > better
> > if I install IIS and WSUS on a seperate server.
> >
> > Thanks
> >
> > Khizer
>
> As a guy that has suffered through this mistake done by the PHBs _TWICE_ I'd
> say save yourself a boatload of pain and DO NOT DO IT.
>
> Having the domain controller run your IIS takes away all sorts of ability to
> run IIS effectively and can scatter all sorts of unused or damaged accounts
> around your network.
>
> Keep in mind, on a DC there are NO local accounts... and local accounts are
> your bread and butter for IIS if you are even slightly interested in
> security. Of course, once the next unknown remote exploit comes out you are
> worrying about your entire network and domain admin accounts rather than a
> machine that can be wiped and rebuilt easily.
>
> Get a cheap box, use one of your old licenses for Win2k server instead.
> ANYTHING but putting it on the DC is better. It might seem like it's a ploy
> by MS to sell more licenses... but in this case they are dead on correct
> about it.
>
>
>