Hunter, Thanks for your reply. I must say
that in the many times I have asked this question, you have probably given me
the best answer. I have always received something like, “we just do
it because it is easy” , “I don’t know”, “no one
said that it wasn’t okay so why not do it?” or something else that
in my opinion may not be as professional a reply as it should be. I think that you are right. I don’t
think that a definite answer is out there. I am sure that there is a Microsoft reader
on this list that will have an answer or maybe be able to direct us to that
answer if one does exist. If there is a person, I would like to request
that they start another thread with this topic. I am sure that I am not the only one with
this as a question when it comes to bastion hosts and a domain. Edwin From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Coleman, Hunter Edwin- I don't think you're going to find a
simple yes or no on the question of whether to put public facing servers in a
(separate) domain. Assume for a minute that one of your public servers gets
compromised. If it's a standalone server, then the attacker is somewhat
constrained in her ability to leverage that server against your other servers.
If it's in a domain, then the attacker has a somewhat easier task of expanding
the attack to other servers in the domain. Of course, you may find it easier to
lock down your public servers via group policy, SUS, and other things if you
are able to use domain-based management tools. And you may find that having
your users and developers using a single domain account cuts down on the number
of passwords taped to monitors and under keyboards. As is often the case, the closest you'll
come to a definitive answer is "It depends..." Hunter From: Edwin
[mailto:[EMAIL PROTECTED] Micheal, If I may, I would like to ask you a
question based off of your last reply to this thread. You said, "It can't be a part of the domain (our policy is that shared hosting
servers (excepting our Exchange hosting servers, which have their own domain)
are standalone)" I share this same opinion while others in
the organization I work for insist on having a domain for ease of management
and other features. I believe that there are other ways to
"easily" manage servers and use whatever features you want without
the use of a domain. My question to you is if your last
statement is based on a preference of your organization or because of a
document that gives good arguments as to why a domain should not be used on
public servers? If based on a document, would you be able to share this
information? I have found many documents that say
having a domain on a public server is no problem, but that the domain should be
isolated from other domains. But none of the documents give a
recommendation as to whether or not it should or should not be used. I am
basically looking for a definite yes or no answer and not something like,
"sure, its okay to do." I don't know if such a document exists,
but if there is an official statement from Microsoft about it, I would love to
begin an argument with my co-workers about it. Thank you, Edwin From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith No, the provisioning application needs to
be able to create a folder and a file within that folder and assign rights. It can't be a part of the domain (our
policy is that shared hosting servers (excepting our Exchange hosting servers,
which have their own domain) are standalone). Thanks for the thought. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al So really the rights you need are the
ability to open a file on a file share you have rights to? Is it possible
to make it part of the domain? You could use the machine account or the IIS
account then. If not, then the trick here is to allow file system access
to the application (the user-context of the application really). Would that work? From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith I have a provisioning application that
runs on a domain member that needs administrative access to a standalone
server. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Credentials other than the ones that IIS
is running under? Personally, I haven't seen a way to do
that and wonder why you would want to do it that way? From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Is there any way to create a FileSystemObject with
alternate credentials, similar to what I can do with OpenDSObject for an ASP
web page? Thanks, M |
- RE: [ActiveDir] IIS and Scriptin... Mulnick, Al
- RE: [ActiveDir] IIS and Scriptin... Michael B. Smith
- RE: [ActiveDir] IIS and Scriptin... Mulnick, Al
- RE: [ActiveDir] IIS and Scriptin... Michael B. Smith
- RE: [ActiveDir] IIS and Scriptin... Perdue David J Contr InDyne/Enterprise IT
- RE: [ActiveDir] IIS and Scriptin... Michael B. Smith
- RE: [ActiveDir] IIS and Scriptin... Ken Schaefer
- RE: [ActiveDir] IIS and Scriptin... Brian Desmond
- RE: [ActiveDir] IIS and Scriptin... Coleman, Hunter
- RE: [ActiveDir] IIS and Scriptin... Michael B. Smith
- RE: [ActiveDir] IIS and Scriptin... Michael B. Smith