Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

IS AD necessary for Public IIS websites?

Status
Not open for further replies.
LOPAG

LOPAG

IS-IT--Management
Oct 30, 2006
1
US
I am working on deploying a series of .Net web apps for Internet Users on a windows 2003 server using microsoft technologies (IIS/MSSQL/ASPNet). The environment will also have Network Attached Storage (windows powered) to hold various files that needs to be rendered as links, etc. Hence the virtual directories from the web box needs to be able to get to the NAS. There will be a box that will host a mail component and a DNS component. There will also be a SQL box. Most, if not all, will be in the LAN (non-routable IPs - behind firewall) except the web servers, which will reside in a DMZ.

Is Active Directory installation necessary in such a setup? If not necessary, then is there any security issue that I need to be aware of?
 
Sort by date Sort by votes
By using the phrase "Internet users", I assume that the website will be open to the public. Therefore, no AD is required however, there are a few security concerns regarding the access of files stored on the NAS but we can workaround that.

I recommend you do not specify a default gateway for any of the servers in the DMZ except for the server(s) that will host W3SVC, SMTPSVC and DNS services. This will minimize the risk of Internet users, possibly hackers, from tampering or probing those systems. Patching and configuration should come from within the LAN of the organization.

In order to serve files from the NAS server, create a local user account on the NAS, assign NTFS and share read permissions to this account, and use the account on the IIS server's virtual directory that points to the network share defined on the NAS. Note: A user who types in the absolute path to a file (eg. will be able to access the document directly using the virtual directory user account. In other words, a user could circumvent your program flow by accessing a file on the NAS directly using HTTP.

Allow your IIS server to respond to specific incoming requests (Ports: 80 or 443) on the NIC facing the Internet. Lock down your SMTP server to prevent it from becoming a SPAM relay.

I am not quite sure of the DNS component you are speaking of . Maybe you can elaborate a little more.


Paul

Work on Windows, play on Linux.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

ravalos
  • Locked
  • Question
Problem with PDFs in IIS
Replies
1
Views
1K
gbaughma
gbaughma
rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
938
suncit
suncit
Abdullah Al Maruf
  • Locked
  • Question
Telnet help for
Replies
2
Views
811
gbaughma
gbaughma
DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
817
DrB0b
DrB0b
DrB0b
  • Locked
  • Question
Hybrid on prem AD with Azure AD
Replies
2
Views
422
DrB0b
DrB0b

Part and Inventory Search

Sponsor

Back
Top