RE: website inside or outside the domain?

Hi Everyone, First off, I have some experience in this practice, when it comes to web servers especially internet accessible servers, do not join them to a domain, use them in a workgroup environment but each server in its own workgroup and if you have an app server also, use that as your backend. Use the local users for authentication, not domain authentication. Rename the Administrator account then create a dummy administrator acount with no permissions. Use strong passwords. Watch exactly what services are running on the webserver. Only run services that are TOTALLY necessary. If you want to be really secure and your webserver needs authentication to view some web pages use a third party program called authentix for a user database and authentication. If you want to get really secure I recommend using two factor authentication for users such as aladdin's etoken USB smartcard which is based on a public / private key cryptography and uses ssl and once the etoken is removed from the usb port all ssl connections to the webserver are no longer. Whether is be an intranet server or internet server, never join it to the domain. As I always say, never trust anyone when it comes to security. Your users are your most dangerous enemies. And 70% of all hacking attempts come from within the network. If you join it to a domain you are asking for trouble. I have written a 36 page white paper on securing IIS for the internet and this was based on a lot of testing and hacking attempts by my team of security engineers.

Sincerely,
Dave

-----Original Message-----
From: Gabriel Aguilera [mailto:gabriel@unicraft.com] Sent: Monday, February 10, 2003 6:21 PM
To: Chris W. Parker; focus-ms@securityfocus.com Subject: RE: website inside or outside the domain?

Hi Chris,

Don't think of it as "joining" in to the domain, which is not a very good practice anyway... think of it as TRUSTING the inner (users) domain.

What I think you should do with your web server if you need any sort of user validation is to build a second domain in the DMZ, lets say, your web and 2nd tier database. This domain should trust your internal domain and that way you can use the same users as you do in the inside of the company. Remember that trusts don't work in the direction you build them... that means that if you build the trust from your DMZs domain to the inside, the inner users will be trusted in the DMZ's domain, but if for some strange reason your box gets compromised, the users in that box won't be trusted in the inside of your company.  

Let me know if you need any further help.  

Regards,
Gabriel    

	-----Original Message----- 
	From: Chris W. Parker 
	Sent: Mon 10-Feb-03 3:23 PM 
	To: focus-ms@securityfocus.com 
	Cc: 
	Subject: website inside or outside the domain?
	
	

	Hello.
	
	Is it a better practice in general to join a webserver to a
domain or to
	leave it in it's own workgroup?
	
	The reason I ask is because managing the permissions on the
webserver is
	made difficult since I don't have access to the domain users and
groups.
	That is, (as far as I know) I cannot add a domain group (i.e.
	DOMAIN\weborders) to a resource on the webserver. Instead I have
to make
	a group locally on the webserver that mimics the group (and
users in
	that group) on the domain.
	
	Another reason I would like to join the webserver to the domain
is
	because I could turn off Anonymous Access and force the users to
login.
	BUT I am imagining their domain credentials would automatically
be
	passed to the intranet site thus logging them in automagically.
I would
	then have access to their username's from within my .asp pages.
	
	The only reason I have not joined the server to the domain yet
is
	because I am not sure what sorts of negative side effects there
might be
	that I don't know about.
	
	
	Can anyone shed any light on these situations and/or offer

	Thanks,
	Chris.
	


**************************************************************************************************

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek