Active Directory and IIS, Best Practices?

[Ddraig]

Howdy,

I am trying to work on an intranet application, and an Admin application which will authenticate to active directory. However I just found out that our webserver is not linked up to active directory, and it is not on our domain. The only reason from what I have been able to gather is for security purposes. Is this normal, whats the best option here?

Thanks,
Owen

http://www.fdwsnetworks.com

-

http://www.tk3195.com

 

[WhoKilledKenny]

Security practices apply for both Internal (private) and External (public) Web services. Configuring an internal web server as a domain memeber is an acceptable practice for utilizing AD authentication. My suggestion here would be to still use SSL and FORMS based authentication or integrated authentication to protect plain text password over the wire.

Public web servers whether they are domain members or not, require proper security and port filtering. There should be a layer of protection between the outside world, your web-server, and your internal network. AKA a DMZ.

Best practice for Public Web servers is to apply proper network security, not make them a member of you domain, and disable NetBIOS service.

 

[Ddraig]

I'm still not 100% sure which way I want to go with this. I was kind of hoping that I could have the admin section on the main webserver (which is a public one). Although now that I think about this as long as both applications the public side, and the admin side are pointing to the same SQL database I should be alright Couldn't really think straight yesterday I guess.

Let me just run this by you to make sure I'm thinking straight if you don't mind.

Our public webserver, not on our domain, but will house the public side of my web application. Setup an Internal on the domain webserver for our employees this will be where the admin section is kept. Then make sure they are pointing to the same sql server and I should be good.

http://www.fdwsnetworks.com

-

http://www.tk3195.com

 

[WhoKilledKenny]

Are your Public and Private Webservers actually two different physical servers? If so, great... make sure you apply proper Network layer security. I would create seperate SQL Databases keeping any sensitve data from being queried from the public site.

 

[Ddraig]

Currently they're the same server.

Which is not on AD

I don't believe there will be any senstive data on this as it is basically a content management tool, so that our users can update their own websites.

http://www.fdwsnetworks.com

-

http://www.tk3195.com

 

[WhoKilledKenny]

I would suggest keeping your Public Site (Internet) and your Private Site (Intranet)on two seperate web servers. Public in the DMZ and Private within your Network. Just the way I would do it...

 

[Ddraig]

Thanks again for the suggestions.

I'm kind of stuck with what to do at the moment. I've been looking at our IIS and it just does not seem to be setup in the best possible way. Its been copied over from an older IIS 5.0 possibly even 4, to IIS 6.0. I was wondering if you or anyone else could recommend any best practices websites when setting up IIS? I am looking at it, and it is really not logical and is a bit of a mess. I'm not sure if I should get this sorted out and fixed before I even start to develop new pages for our websites, or develop them and then implement changes to the IIS before we implement the pages one at a time.

Thanks,
Dd.

http://www.fdwsnetworks.com

-

http://www.tk3195.com