Should our web server be a domain member?

What's the basic pros & cons of making a Web server a member of our domain?

I've heard that there are security problems with that, although I can't
recall specifically what those problems are. That's why up until now I have
made it a member of a workgroup (with the same name as our one domain). But
that has caused some inconveniences such as maintaining separate list of
users & passwords.

So I'm wondering if I should join it to the domain.

Thanks!

The risk is if the web server is available from the internet then it will be
a target for attack and therefore could give an attacker control of one of
your domain computers. If it is an internal web server not facing the
internet it makes sense to add it to the domain if your domain users access
as it sounds like they do. If it is exposed to the internet and only a small
group of your users need access to it most likely you should leave things as
is but if it is a large number of users then you have to decide what you
want. You can minimize the damage that a compromised domain computer can do
by regularly checking the security logs on it for evidence of such and
configuring your network so that it can access only computers it needs such
as domain controllers. You can use ipsec to protect sensitive servers [not
domain controllers] in the domain by requiring that they have a "require"
ipsec policy.

Of course web servers need to be hardened by making sure that they are
running only needed services, use the principle of least privilege in
configuring access control lists, run applications that are well written,
and are kept current with critical security updates. MBSA can be used to
check for basic security vulnerabilities on Windows 2000/2003 and for
Windows 2003 SP1 you can use the Security Configuration Wizard to help you
lock down a server by role. Ipsec can also be configured via a filter policy
to manage access to what traffic can leave the computer unlike the Windows
Firewall. Domain administrators must be trained to NEVER logon to any domain
computer that they are not 100 percent sure is secure/clean with their
domain administrator credentials. The reason is that the computer could be
configured with scripts or loggers to either capture or use those
credentials to take over the domain. Most day to day tasks can be performed
by a regular domain account that has been delegated permissions to do what a
domain level administrator would otherwise need to do. Non domain controller
domain computers should be managed by a domain user/group that is in the
local administrators group of the domain computer and not by a user in the
domain admins group. --- Steve

http://www.microsoft.com/technet/sec.../mbsahome.mspx --- MBSA
http://www.microsoft.com/windowsserv...z/default.mspx
--- Security Configuration Wizard


"OscarVogel" <(E-Mail Removed)> wrote in message
news:%23znq%(E-Mail Removed)...
> What's the basic pros & cons of making a Web server a member of our
> domain?
>
> I've heard that there are security problems with that, although I can't
> recall specifically what those problems are. That's why up until now I
> have made it a member of a workgroup (with the same name as our one
> domain). But that has caused some inconveniences such as maintaining
> separate list of users & passwords.
>
> So I'm wondering if I should join it to the domain.
>
> Thanks!
>

First, let me say I am assuming you mean a public, external
webserver. Also, the degree of the isolation concerns does
also depend on just how this is exposed to the public network.

Can you define a need, other than administrative convenience,
that can be best, or only, provided for by domain membership?

If not, then domain membership is optional.
If so, then domain membership might be necessary (you would
need to assess alternatives to see if there are other options).

There is no higher from of protection of your domain from the
internet based exposures of the webserver than to have it not
in the domain and not needing to communicate with domain
contol and members.

So, if membership is not necessary, only optional, then you
would need to assess the extent that communications would
have to be opened, comparing that exposure to what is gained
(i.e. difficulty, exposure, stability, etc. of the other options)

My own general feel is that joining to "the" domain (not, making
a domain "out there", "for them") is not something one would
do unless there is no other alternative (and, since the release
of Windows Server 2003 and now R2, the cases where there
is actually no alternative are getting fewer.

--
Roger Abell
Microsoft MVP (Windows Server : Security)

"OscarVogel" <(E-Mail Removed)> wrote in message
news:%23znq%(E-Mail Removed)...
> What's the basic pros & cons of making a Web server a member of our
> domain?
>
> I've heard that there are security problems with that, although I can't
> recall specifically what those problems are. That's why up until now I
> have made it a member of a workgroup (with the same name as our one
> domain). But that has caused some inconveniences such as maintaining
> separate list of users & passwords.
>
> So I'm wondering if I should join it to the domain.
>
> Thanks!
>

Thanks Roger & Steve for your good insights. I think I'll take your advice &
NOT join the web server to our Windows domain.

But it seems odd that this issue is never brought up regarding the SBS which
I think requires web services and is of coarse a DC. Are a SBS inherently
insecure?

I was thinking that the practice of NOT adding web servers to a Windows
domain may be obsolete precaution that is a hold over when IIS was much less
secure. Is there ANY truth to that?

Never the less, I understand the concept of layered security so I intend to
keep things as is. But I'd be interested in any feedback about the above
comments, just so I can more fully understand it.

Sincere regards!


"OscarVogel" <(E-Mail Removed)> wrote in message
news:%23znq%(E-Mail Removed)...
> What's the basic pros & cons of making a Web server a member of our
> domain?
>
> I've heard that there are security problems with that, although I can't
> recall specifically what those problems are. That's why up until now I
> have made it a member of a workgroup (with the same name as our one
> domain). But that has caused some inconveniences such as maintaining
> separate list of users & passwords.
>
> So I'm wondering if I should join it to the domain.
>
> Thanks!
>

Well SBS is a different animal that is targeted for very small businesses as
an economical all in one package that can get that small business into a
Windows domain environment with only one server. SBS 2003 I believe includes
ISA which means that your domain controller would also be your firewall if
used which you will almost never see in an enterprise environment. I don't
see why SBS would require IIS to be enabled. My guess is that SBS users are
not using SBS for hosting their website but may be using it for SUS/WSUS . I
would not call SBS inherently secure but it is a compromise where the scales
are tipped to cost savings and convenience for a different market than
Windows 2003 Server. There are millions of satisfied SBS users and in almost
all cases such users would not be considered high value targets to attackers
which reduces the threat.

In my opinion nothing has changed in the tactic of not making an IIS server
a domain member in that it should not be done if there is no compelling
reason to do so. However if there are hunderds or thousands of domain users
that need to access the IIS server and be authenticated as domain users then
it would be kind of crazy to create local accounts for all of them. In such
case using IIS6.0 certainly would be an advantage over previous versions of
IIS. Also using a firewall like ISA 2004 and then "publishing" the web
server can greatly increase security as ISA 2004 could then do deep
application http filtering as shown in the link below. --- Steve

http://www.microsoft.com/technet/pro...filtering.mspx


"OscarVogel" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Thanks Roger & Steve for your good insights. I think I'll take your advice
> & NOT join the web server to our Windows domain.
>
> But it seems odd that this issue is never brought up regarding the SBS
> which I think requires web services and is of coarse a DC. Are a SBS
> inherently insecure?
>
> I was thinking that the practice of NOT adding web servers to a Windows
> domain may be obsolete precaution that is a hold over when IIS was much
> less secure. Is there ANY truth to that?
>
> Never the less, I understand the concept of layered security so I intend
> to keep things as is. But I'd be interested in any feedback about the
> above comments, just so I can more fully understand it.
>
> Sincere regards!
>
>
> "OscarVogel" <(E-Mail Removed)> wrote in message
> news:%23znq%(E-Mail Removed)...
>> What's the basic pros & cons of making a Web server a member of our
>> domain?
>>
>> I've heard that there are security problems with that, although I can't
>> recall specifically what those problems are. That's why up until now I
>> have made it a member of a workgroup (with the same name as our one
>> domain). But that has caused some inconveniences such as maintaining
>> separate list of users & passwords.
>>
>> So I'm wondering if I should join it to the domain.
>>
>> Thanks!
>>
>
>

Pardon my jumping in(line)....

In news:(E-Mail Removed),
Steven L Umbach <(E-Mail Removed)> typed:
> Well SBS is a different animal that is targeted for very small
> businesses as an economical all in one package that can get that
> small business into a Windows domain environment with only one
> server. SBS 2003 I believe includes ISA

(only in Premium...same with SQL. SBS Standard doesn't have ISA, and
frankly, I don't want ISA running on a DC/Exchange box, so I personally go
for Standard for my SBS-using clients)

> which means that your domain
> controller would also be your firewall if used which you will almost
> never see in an enterprise environment. I don't see why SBS would
> require IIS to be enabled.

It really does, if you want full functionality - Sharepoint and Exchange and
Remote Web Workplace, plus a lot of other stuff one might run, such as Trend
Micro antivirus software, yaddayaddayadda.

> My guess is that SBS users are not using
> SBS for hosting their website but may be using it for SUS/WSUS

More often, OWA, RWW, and intranet purposes. I wouldn't ever recommend
hosting a public website on SBS or any server on the LAN/domain - OWA (SSL
only) is a necessary evil, and as you say, a compromise.

> . I
> would not call SBS inherently secure but it is a compromise where the
> scales are tipped to cost savings and convenience for a different
> market than Windows 2003 Server.

Exactly so.

> There are millions of satisfied SBS
> users and in almost all cases such users would not be considered high
> value targets to attackers which reduces the threat.
> In my opinion nothing has changed in the tactic of not making an IIS
> server a domain member in that it should not be done if there is no
> compelling reason to do so. However if there are hunderds or
> thousands of domain users that need to access the IIS server and be
> authenticated as domain users then it would be kind of crazy to
> create local accounts for all of them. In such case using IIS6.0
> certainly would be an advantage over previous versions of IIS. Also
> using a firewall like ISA 2004 and then "publishing" the web server
> can greatly increase security as ISA 2004 could then do deep
> application http filtering as shown in the link below. --- Steve

I agree with everything you've written, as usual.

>
> http://www.microsoft.com/technet/pro...filtering.mspx
>
>
> "OscarVogel" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Thanks Roger & Steve for your good insights. I think I'll take your
>> advice & NOT join the web server to our Windows domain.
>>
>> But it seems odd that this issue is never brought up regarding the
>> SBS which I think requires web services and is of coarse a DC. Are
>> a SBS inherently insecure?
>>
>> I was thinking that the practice of NOT adding web servers to a
>> Windows domain may be obsolete precaution that is a hold over when
>> IIS was much less secure. Is there ANY truth to that?
>>
>> Never the less, I understand the concept of layered security so I
>> intend to keep things as is. But I'd be interested in any feedback
>> about the above comments, just so I can more fully understand it.
>>
>> Sincere regards!
>>
>>
>> "OscarVogel" <(E-Mail Removed)> wrote in message
>> news:%23znq%(E-Mail Removed)...
>>> What's the basic pros & cons of making a Web server a member of our
>>> domain?
>>>
>>> I've heard that there are security problems with that, although I
>>> can't recall specifically what those problems are. That's why up
>>> until now I have made it a member of a workgroup (with the same
>>> name as our one domain). But that has caused some inconveniences
>>> such as maintaining separate list of users & passwords.
>>>
>>> So I'm wondering if I should join it to the domain.
>>>
>>> Thanks!

OscarVogel wrote:
> Thanks Roger & Steve for your good insights. I think I'll take your
> advice & NOT join the web server to our Windows domain.
>
> But it seems odd that this issue is never brought up regarding the
> SBS which I think requires web services and is of coarse a DC. Are a
> SBS inherently insecure?

Depends on how it is set up. At the end of the day, security isn't about
making a system as secure as possible - which could be served by turning it
off so that no-one can get at it - but rather by making it as secure as
possible without preventing the server being used for the purpose it was
purchased. That's obvious, I know, but sometimes bears repeating. Running
IIS on your sole server might not be an ideal situation, but it is perhaps
preferable to not running a website at all if you need a web site, and also
having the SBS wizards set it up and lock it down is preferable to having
someone who doesn't really know what they're doing trying to do it
themselves and bodging it.

> I was thinking that the practice of NOT adding web servers to a
> Windows domain may be obsolete precaution that is a hold over when
> IIS was much less secure. Is there ANY truth to that?

I'd personally say not "obsolete" but less important than it used to be.


--
--
Rob Moir, MS MVP
Blog Site - http://www.robertmoir.com
Virtual PC 2004 FAQ - http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html
I'm always surprised at "professionals" who STILL have to be asked "Have you
checked (event viewer / syslog)".

Webserver (IIS) in an AD domain is not inherently insecure nor a
threat to the AD. What I was saying is that any external exposure
is a risk, so if there is no defined need for that exposure (webserver
in this case) to be a domain member then only risk is attained.
Depending on where the webserver is placed (DMZ, etc.) then
to be a domain member a number of ports need to be opened,
and, since people also tend to want to manage machines uniformly,
ports for management from inside can end up opened.

SBS is a breed upto itself, and the SBS team did do a large amount
of customization in order to get so many roles all running on the SBS
server (SBS 2003 at least). In the case of SBS, there are functions
mediated by IIS that do require domain membership for authentication,
and then also there is the assumption that there may be only one server
available - hence one sees IIS on a DC. Some of the IIS mediated
services face inward, some face outward and are optional.


"OscarVogel" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Thanks Roger & Steve for your good insights. I think I'll take your advice
> & NOT join the web server to our Windows domain.
>
> But it seems odd that this issue is never brought up regarding the SBS
> which I think requires web services and is of coarse a DC. Are a SBS
> inherently insecure?
>
> I was thinking that the practice of NOT adding web servers to a Windows
> domain may be obsolete precaution that is a hold over when IIS was much
> less secure. Is there ANY truth to that?
>
> Never the less, I understand the concept of layered security so I intend
> to keep things as is. But I'd be interested in any feedback about the
> above comments, just so I can more fully understand it.
>
> Sincere regards!
>
>
> "OscarVogel" <(E-Mail Removed)> wrote in message
> news:%23znq%(E-Mail Removed)...
>> What's the basic pros & cons of making a Web server a member of our
>> domain?
>>
>> I've heard that there are security problems with that, although I can't
>> recall specifically what those problems are. That's why up until now I
>> have made it a member of a workgroup (with the same name as our one
>> domain). But that has caused some inconveniences such as maintaining
>> separate list of users & passwords.
>>
>> So I'm wondering if I should join it to the domain.
>>
>> Thanks!
>>
>
>

Thanks Lanwench! I have a lot to learn about SBS - someday. My point on IIS
is that I do not believe that it has to be enabled to use SBS as a domain
controller as it does not on a Windows 2000/2003 domain controller though I
may be wrong. Of course for all the other functions you mention such as
Exchange then it would be needed of which I would imagine most SBS users
would take advantage of since it is included with SBS. --- Steve



"Lanwench [MVP - Exchange]"
<(E-Mail Removed) ahoo.com> wrote in message
news:(E-Mail Removed)...
> Pardon my jumping in(line)....
>
> In news:(E-Mail Removed),
> Steven L Umbach <(E-Mail Removed)> typed:
>> Well SBS is a different animal that is targeted for very small
>> businesses as an economical all in one package that can get that
>> small business into a Windows domain environment with only one
>> server. SBS 2003 I believe includes ISA
>
> (only in Premium...same with SQL. SBS Standard doesn't have ISA, and
> frankly, I don't want ISA running on a DC/Exchange box, so I personally go
> for Standard for my SBS-using clients)
>
>> which means that your domain
>> controller would also be your firewall if used which you will almost
>> never see in an enterprise environment. I don't see why SBS would
>> require IIS to be enabled.
>
> It really does, if you want full functionality - Sharepoint and Exchange
> and Remote Web Workplace, plus a lot of other stuff one might run, such as
> Trend Micro antivirus software, yaddayaddayadda.
>
>> My guess is that SBS users are not using
>> SBS for hosting their website but may be using it for SUS/WSUS
>
> More often, OWA, RWW, and intranet purposes. I wouldn't ever recommend
> hosting a public website on SBS or any server on the LAN/domain - OWA (SSL
> only) is a necessary evil, and as you say, a compromise.
>
>> . I
>> would not call SBS inherently secure but it is a compromise where the
>> scales are tipped to cost savings and convenience for a different
>> market than Windows 2003 Server.
>
> Exactly so.
>
>> There are millions of satisfied SBS
>> users and in almost all cases such users would not be considered high
>> value targets to attackers which reduces the threat.
>> In my opinion nothing has changed in the tactic of not making an IIS
>> server a domain member in that it should not be done if there is no
>> compelling reason to do so. However if there are hunderds or
>> thousands of domain users that need to access the IIS server and be
>> authenticated as domain users then it would be kind of crazy to
>> create local accounts for all of them. In such case using IIS6.0
>> certainly would be an advantage over previous versions of IIS. Also
>> using a firewall like ISA 2004 and then "publishing" the web server
>> can greatly increase security as ISA 2004 could then do deep
>> application http filtering as shown in the link below. --- Steve
>
> I agree with everything you've written, as usual.
>
>>
>> http://www.microsoft.com/technet/pro...filtering.mspx
>>
>>
>> "OscarVogel" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>> Thanks Roger & Steve for your good insights. I think I'll take your
>>> advice & NOT join the web server to our Windows domain.
>>>
>>> But it seems odd that this issue is never brought up regarding the
>>> SBS which I think requires web services and is of coarse a DC. Are
>>> a SBS inherently insecure?
>>>
>>> I was thinking that the practice of NOT adding web servers to a
>>> Windows domain may be obsolete precaution that is a hold over when
>>> IIS was much less secure. Is there ANY truth to that?
>>>
>>> Never the less, I understand the concept of layered security so I
>>> intend to keep things as is. But I'd be interested in any feedback
>>> about the above comments, just so I can more fully understand it.
>>>
>>> Sincere regards!
>>>
>>>
>>> "OscarVogel" <(E-Mail Removed)> wrote in message
>>> news:%23znq%(E-Mail Removed)...
>>>> What's the basic pros & cons of making a Web server a member of our
>>>> domain?
>>>>
>>>> I've heard that there are security problems with that, although I
>>>> can't recall specifically what those problems are. That's why up
>>>> until now I have made it a member of a workgroup (with the same
>>>> name as our one domain). But that has caused some inconveniences
>>>> such as maintaining separate list of users & passwords.
>>>>
>>>> So I'm wondering if I should join it to the domain.
>>>>
>>>> Thanks!
>
>

Some of the configure step, join member PCs, etc. are mediated by
an internal use website - no doubt one could do otherwise, but there
is a lot of functionality ready to go. I never specifically tried to
install
SBS without IIS, but I am pretty sure one would have to wrestle to
do so.

"Steven L Umbach" <(E-Mail Removed)> wrote in message
news:uzVt7Q$(E-Mail Removed)...
> Thanks Lanwench! I have a lot to learn about SBS - someday. My point on
> IIS is that I do not believe that it has to be enabled to use SBS as a
> domain controller as it does not on a Windows 2000/2003 domain controller
> though I may be wrong. Of course for all the other functions you mention
> such as Exchange then it would be needed of which I would imagine most SBS
> users would take advantage of since it is included with SBS. --- Steve
>
>
>
> "Lanwench [MVP - Exchange]"
> <(E-Mail Removed) ahoo.com> wrote in
> message news:(E-Mail Removed)...
>> Pardon my jumping in(line)....
>>
>> In news:(E-Mail Removed),
>> Steven L Umbach <(E-Mail Removed)> typed:
>>> Well SBS is a different animal that is targeted for very small
>>> businesses as an economical all in one package that can get that
>>> small business into a Windows domain environment with only one
>>> server. SBS 2003 I believe includes ISA
>>
>> (only in Premium...same with SQL. SBS Standard doesn't have ISA, and
>> frankly, I don't want ISA running on a DC/Exchange box, so I personally
>> go for Standard for my SBS-using clients)
>>
>>> which means that your domain
>>> controller would also be your firewall if used which you will almost
>>> never see in an enterprise environment. I don't see why SBS would
>>> require IIS to be enabled.
>>
>> It really does, if you want full functionality - Sharepoint and Exchange
>> and Remote Web Workplace, plus a lot of other stuff one might run, such
>> as Trend Micro antivirus software, yaddayaddayadda.
>>
>>> My guess is that SBS users are not using
>>> SBS for hosting their website but may be using it for SUS/WSUS
>>
>> More often, OWA, RWW, and intranet purposes. I wouldn't ever recommend
>> hosting a public website on SBS or any server on the LAN/domain - OWA
>> (SSL only) is a necessary evil, and as you say, a compromise.
>>
>>> . I
>>> would not call SBS inherently secure but it is a compromise where the
>>> scales are tipped to cost savings and convenience for a different
>>> market than Windows 2003 Server.
>>
>> Exactly so.
>>
>>> There are millions of satisfied SBS
>>> users and in almost all cases such users would not be considered high
>>> value targets to attackers which reduces the threat.
>>> In my opinion nothing has changed in the tactic of not making an IIS
>>> server a domain member in that it should not be done if there is no
>>> compelling reason to do so. However if there are hunderds or
>>> thousands of domain users that need to access the IIS server and be
>>> authenticated as domain users then it would be kind of crazy to
>>> create local accounts for all of them. In such case using IIS6.0
>>> certainly would be an advantage over previous versions of IIS. Also
>>> using a firewall like ISA 2004 and then "publishing" the web server
>>> can greatly increase security as ISA 2004 could then do deep
>>> application http filtering as shown in the link below. --- Steve
>>
>> I agree with everything you've written, as usual.
>>
>>>
>>> http://www.microsoft.com/technet/pro...filtering.mspx
>>>
>>>
>>> "OscarVogel" <(E-Mail Removed)> wrote in message
>>> news:(E-Mail Removed)...
>>>> Thanks Roger & Steve for your good insights. I think I'll take your
>>>> advice & NOT join the web server to our Windows domain.
>>>>
>>>> But it seems odd that this issue is never brought up regarding the
>>>> SBS which I think requires web services and is of coarse a DC. Are
>>>> a SBS inherently insecure?
>>>>
>>>> I was thinking that the practice of NOT adding web servers to a
>>>> Windows domain may be obsolete precaution that is a hold over when
>>>> IIS was much less secure. Is there ANY truth to that?
>>>>
>>>> Never the less, I understand the concept of layered security so I
>>>> intend to keep things as is. But I'd be interested in any feedback
>>>> about the above comments, just so I can more fully understand it.
>>>>
>>>> Sincere regards!
>>>>
>>>>
>>>> "OscarVogel" <(E-Mail Removed)> wrote in message
>>>> news:%23znq%(E-Mail Removed)...
>>>>> What's the basic pros & cons of making a Web server a member of our
>>>>> domain?
>>>>>
>>>>> I've heard that there are security problems with that, although I
>>>>> can't recall specifically what those problems are. That's why up
>>>>> until now I have made it a member of a workgroup (with the same
>>>>> name as our one domain). But that has caused some inconveniences
>>>>> such as maintaining separate list of users & passwords.
>>>>>
>>>>> So I'm wondering if I should join it to the domain.
>>>>>
>>>>> Thanks!
>>
>>
>
>