|
Posted by =?Utf-8?B?ZHJpbGV5?= on January 26, 2008, 1:51 am
If you were Registered and logged in, you could reply and use other advanced thread options
The vendor supports the solution entirely, so it is unlikely that we will
perform any hardening of the DC, IIS, SQL etc.
"Roger Abell [MVP]" wrote:
> I probably should not reply as you ask for someone to tell
> you they think you are wrong in seeing this as a bad idea.
>
> Although it can be done safely many of us (MVP types)
> will immediately say that a DC should be a DC only, that
> it should not run an application server (ie. IIS).
>
> Let's assume that your network config is without mistake
> and so only tcp 80/443 could route to the box from outside,
> and further let us assume that you have the ability to config
> the machine with all of the OS level hardening best practices
> (which is not trivial with a DC). Even with those you are
> still placing (by what you have said) your entire internal
> network at risk due to the potential for exploit of their web
> application and its use of SQL. From what I heard, that
> application level exposure is not within your ability to
> control, so you would be saying that you trust their quality
> as that could be all that protects your internal network.
>
> Can you configure their machine so that it is isolated
> rather than able to contact other internal machines?
>
> Roger
>
>
> > In my work environment we have a vendor provided solution running on our
> > internal network. The solution is in its own domain and there are no trust
> > relationships to our domain.
> >
> > The vendor has a web application that they want to publish on the internet
> > for a limited number of users. The web application uses IIS and is
> > installed
> > on their domain controller, which also hosts their application. Some of
> > our
> > confidential customer information is stored on this system.
> >
> > The vendor is trying to tell us that all we need to do to make this system
> > secure is to install an SSL certificate and open up 80 and 443 on the
> > firewall. The system sits inside our network and is not in a DMZ or
> > otherwise
> > isolated from other internal systems.
> >
> > The domain controller is not hardened in any way and is running IIS and
> > SQL.
> > Basically they want to make a domain controller into a web server and they
> > are saying that an SSL certificate will make this a secure solution.
> >
> > Someone tell me if I am wrong in thinking that this sound like a bad idea.
> >
>
>
>
| 
XML site map