Re: Share Point?

From: Bronek Kozicki <brok(at)rubikon.pl>
Date: Sat May 10 2003 - 06:22:11 EDT

Matt Andreko <mandreko@ori.net> wrote:
> Going with that, do you really want your anonymous users visiting your

If AD is being used only locally by IIS server, is not connected to any other computer (nor used by internal services or anything inside or outside DMZ, nor connected to some domain tree) , then LocalSystem priviledges can't be propagated to other computers. In such situation there's no difference between compromised AD and compromised SAM. Moreover, AD delivers some mechanics which can lower risk of machine compromise (GPO, Kerberos authentication etc.). I know it sounds strange, but if IIS server is logically isolated from the outside world (including other servers in DMZ) i DO recommend setting up AD on it. LocalRoot compromise can not do more harm (compared to situation when server has SAM only) because it's used only locally on this computer, but can be better prevented. Of course in perfect world you would have separate IIS (maybe load balancing cluster) and AD controler(s), all in DMZ . B.

---

FastTrain has your solution for a great CISSP Boot Camp. The industry`s most recognized corporate security certification track, provides a comprehensive prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization of pertinent security tools. For a limited time you can enter for a chance to win one of the latest technological innovations, the SEGWAY HT. Log onto http://www.securityfocus.com/FastTrain-focus-ms

---

Received on Sat May 10 15:02:56 2003