View Complete Thread
  • Re: Security best practices and using AD for server and process identity in a public facing web a...

    Jun 01, 2011 07:36 PM|steve schofield|LINK

    I can make an argument for both solutions. 

    1) for stand-alone boxes, you could encrypt the connections strings to protect creds.   Having AD introduces more expertise and administration.  If you AD locally and some expertise, then it's not too bad.  Having DC's costs more, administration more, more hardware to support. More licensing.   The downside of stand-alone you have to manage each box as a stand-alone entity, depending on how many boxes, this is a BIG drawback.  Yes, you can have the same user id and password if you have scripting.

    2) For an AD environment, you get group policy, centralized administration, both are HUGE wins IMO.  With group policy you can manage all kinds of settings including folder, registry security, auditing, distribute certificates along with 100's of other settings.  Preferences is my favorite.  Most of the negative for #2 is mentioned in #1.  AD helps with administration / management however has overhead.   I like using windows accounts vs. sql because of the integrated security, no passwords stored and needed to be managed in config files. 

    Over my years of experience, I tend to have a blend of security with administration.  I've implemented AD in my environment and haven't looked back.  The benefits outway the risks and additional administration.  Once AD is setup, it kind of runs itself if not tinkered with.  You need a very stable DNS infrastructure to support AD.   Your applicatoins would need to blend with the AD DNS (or BIND DNS that supports SRV records).   If you have some type of solution like Altris that is agent based and can go across forest (last I knew), management of apps, packages might be easier.  I hope there is some advice and things to think about.  PS -  AD is really a core technology a lot of other MS solutions integrate with, it's worth having IMO.

    Steve Schofield
    Windows Server MVP - IIS
    http://iislogs.com/steveschofield
    http://www.IISLogs.com
    Log archival solution
    Install, Configure, Forget