Domain Controller and IIS, SQL Server or Exchange?

[T_Squared]

Hi All,

I have a question for all you gurus out there. If you are faced with
installing IIS 5.0, SQL Server 2000 or Exchange (5.5 or 2000) on one
of two Windows 2000 DC's, then which application would you choose.

1.)Win 2K DC and IIS 5.0
2.)Win 2K DC and SQL Server 2000
3.)Win 2K DC and Exhange (5.5 or 2000)

I know that it all can co-exist, I've done it in a test environment.
However, when faced with a decision for a production environment of at
most 25 users, which "co-habitation" scenario is the lesser of all
evils from a security standpoint? ( I have to make a choice- help!)

Please provide any links to whitepapers.

Thanks in advance.

 

[Marina Roos]

You could go for SBS 2000 (soon 2003) which has IIS, SQL and Exchange and
ISA. Limit is 50 users at the same time.
More info on www.smallbizserver.net and
microsoft.public.backoffice.smallbiz2000 newsgroup.

Marina

 

[=?iso-8859-1?B?WWFubiBRdely6Q==?=]

You ve post in security forum.
So I just reply for security.

You need to know that IIS & SQL are the 2 first target for
the crackers/hackers.

So the question is : do you need to secure it ?
You have many choice & it depends of your security
configuration.

I'll put what I think for your configuration. So "Only for
Controler Domain + IIS"

- intranet -
IIS as intranet, no physical connexion to internet : ok

IIS as intranet, physical connexion to internet in LAN
through a firewall : normally ok. But

IIS as intranet, physical connexion in DMZ through a
firewall : I don't advice to put AD & all your account in
front of internet. Why put a DC in the DMZ ?

IIS as intranet, DC is too a RRAS gateway : put all in one
is cheaper, but when you'll need to take over your network
from a cracker you'll lose all your $$$. RRAS server can
be hacked in 30 mn by hacker who exploit a fail not
corrected. And he can auto reconnect the server when he
want. (call back, ...)

- internet -
IIS as internet, P.C.to.I. (physical connexion to
internet) in LAN through a firewall : dam your network is
already backdoored & hack .. bye bye .. really it's like a
chiken behind wolfs...

IIS as internet, P.C.to.I in DMZ :
Well ... no way to put a DC in DMZ. Oh sorry. Yes it can
be one way : a fake DC as honey put.

- extranet -
Hummmm .... same thing. You allow cracker to test a hack
on your DC and take all account, run backdoor, install
hidden ftp server in rootkit.

Ok. I think i've done all the possibility & the better
is : IIS in a LAN without connexion to other network like
internet.

For SQL ... dam ... the same ... In fact it the same for
all services like SAP ...

For IIS & SQL :
- no network or RRAS connection
or
- firewall & IT Security Team that look every day on your
baby. Plus An IT Backup Team who really do their work.

It's not a white paper. Just my mind.

Yann Quéré

 

[T_Squared]

You don't provide enough information to know. Is the IIS for internet
or intranet? Is the system inside or outside your firewall? What
kind of traffic, what types of applications, what is the hardware, how
many users and mail accounts, etc.?

From a security standpoint, put nothing on a DC. Especially outward
facing. Plus there are issues with IIS on a DC where you have no
local accounts and everything is a domain account.

Jeff

Thanks for the reply. The IIS is for an internet/intranet outside the
firewall (the company is working on a firewall implementation). YES,
it's bad I know, but around here other admins are faced with the same
dilemma. Many of them host either IIS, exchange or some other app on
one of their DC's - mainly due to budget restrictions.

To finish answering your question, the applications are mostly
homegrown ASP. There are 25 users and 30 mail accounts. The Servers
are 4 Dell PowerEdge 2600, single Xeon 2.0 GHz Processor, with a
hardware RAID 5 configuration for data and a RAID 1 configuration for
system files and logs.

You see my problem, I have 4 machines when I need 5 (2 DCS, 1 IIS, 1
Exchange and 1 SQL). I pretty much walked into this shop and now I
need to make it work.

 

[T_Squared]

Great reply. Thank you, it looks like I need to go and locate another server.

 

[T_Squared]

Thanks for the reply but, no such luck, I have to a part of the companies forest.

 

[Kevin]

From a technical standpoint, I'd put your data stores on one (Exch/SQL) and
your Applications (DC/IIS) on another

From a security standpoint, IIS shouldn't be on the DC no matter what, but I
wouldn't be sleeping at night in any case if you have your application tier
exposed to the internet not behind a firewall.

 

[Jeff Cochran]

Thanks for the reply. The IIS is for an internet/intranet outside the
firewall (the company is working on a firewall implementation). YES,
it's bad I know, but around here other admins are faced with the same
dilemma. Many of them host either IIS, exchange or some other app on
one of their DC's - mainly due to budget restrictions.

To finish answering your question, the applications are mostly
homegrown ASP. There are 25 users and 30 mail accounts. The Servers
are 4 Dell PowerEdge 2600, single Xeon 2.0 GHz Processor, with a
hardware RAID 5 configuration for data and a RAID 1 configuration for
system files and logs.

Okay, so assuming reasonable RAM, you should be okay equipment wise in
running combined apps. So all it really comes down to is security.

You see my problem, I have 4 machines when I need 5 (2 DCS, 1 IIS, 1
Exchange and 1 SQL). I pretty much walked into this shop and now I
need to make it work.

I'd be tempted to put SQL and IIS on the same system, Exchange on a
third and the fourth be a DC with file/print. Neither Exchange nor
IIS really *likes* a DC, but I'd opt for Exchange on the DC before
IIS. At any rate, I'd put any outward facing systems in a DMZ, not
outside the firewall entirely.

Jeff