For an IIS 7.5 / SQL 2008 R2 deployment both on separate servers. I'd like to leave the IIS servers in the AD domain, what is the risk for the scenario below:
Port 80/443 open to Nic1 - that ONLY has TCP/IP & NLB enabled (not MS services)
Where NIC 2 has the MS Client to do Domain Membership
Firewall between Nic1 and Nic2
Where we are using Forms based authentication (not AD users) to login to the application.
And the Anonymous user (the only Authentication we use) is the Network Service.
And have some AD users in Local Groups allowed for managing the server.
Additionally, would constrained delegation to the SQL server be an option to prevent said security issues if the IIS box was compromised?
I've seen the suggestions for:
1 way trust AD
Put up a RODC
Use ADFS or AD LDS (but isn't this more for application user authentication vs. IIS > SQL (Network Service accout) and server management accounts?
And the Anonymous user (the only Authentication we use) is the Network Service.
And have some AD users in Local Groups allowed for managing the server.
These are the only two reasons I see for the IIS server being in the AD domain inside the firewall. Might be better to change to a separate, dedicated application pool account and use a different set of credentials for managing the server.
That said, there's really nothing wrong with your suggested setup. Though I can't tell from your description if you have a hardware firewall that the server sits in the DMZ of or if the server is running the firewall software. Which is far less secure.
Thanks for the reply. Yes, I have a PIX FW between, NIC1 and NIC2 of the Web server.
I will consider using a seperate (Domain User(s)) for the Application Pools Identities.
I'm, not clear on your comment, "use a different set of credentials for managing the server." - the users would be standard domain users that are added to a Domain Local Group, which would be granted either server Local Group membership of NTFS ACL permissions
on the IIS box.
dan.foxley
15 Posts
Domain Joined IIS in the DMZ
Jan 26, 2011 10:29 PM|LINK
For an IIS 7.5 / SQL 2008 R2 deployment both on separate servers. I'd like to leave the IIS servers in the AD domain, what is the risk for the scenario below:
Port 80/443 open to Nic1 - that ONLY has TCP/IP & NLB enabled (not MS services)
Where NIC 2 has the MS Client to do Domain Membership
Firewall between Nic1 and Nic2
Where we are using Forms based authentication (not AD users) to login to the application.
And the Anonymous user (the only Authentication we use) is the Network Service.
And have some AD users in Local Groups allowed for managing the server.
Additionally, would constrained delegation to the SQL server be an option to prevent said security issues if the IIS box was compromised?
I've seen the suggestions for:
1 way trust AD
Put up a RODC
Use ADFS or AD LDS (but isn't this more for application user authentication vs. IIS > SQL (Network Service accout) and server management accounts?
Thanks,
Dan
AD iis DMZ
jeff@zina.co...
3379 Posts
MVP
Moderator
Re: Domain Joined IIS in the DMZ
Feb 03, 2011 05:52 PM|LINK
These are the only two reasons I see for the IIS server being in the AD domain inside the firewall. Might be better to change to a separate, dedicated application pool account and use a different set of credentials for managing the server.
That said, there's really nothing wrong with your suggested setup. Though I can't tell from your description if you have a hardware firewall that the server sits in the DMZ of or if the server is running the firewall software. Which is far less secure.
Jeff
dan.foxley
15 Posts
Re: Domain Joined IIS in the DMZ
Feb 04, 2011 12:18 AM|LINK
Jeff,
Thanks for the reply. Yes, I have a PIX FW between, NIC1 and NIC2 of the Web server.
I will consider using a seperate (Domain User(s)) for the Application Pools Identities.
I'm, not clear on your comment, "use a different set of credentials for managing the server." - the users would be standard domain users that are added to a Domain Local Group, which would be granted either server Local Group membership of NTFS ACL permissions on the IIS box.
Dan