Talk With an Expert

SANS Windows Security Training

SANS Windows Security Training (PDF, 1.79MB)Published: 30 Sep, 2001
Created by:
Philip Blow

Almost every security checklist for Microsoft Internet Information Services (IIS) recommends that servers with the IIS web service installed on them should not be placed into Windows Domains. I have embraced this recommendation within the automated secure server builds that I have developed for a large dedicated hosting provider. However, the questions I am now being asked are 'Why shouldn't I place my IIS Web Servers into a Windows Domain?' and 'How do I add my IIS Web Server to a Windows Domain so that I maximise security?' This paper will answer the above questions in relation to both the Windows Directory Services that are currently being utilised on the Internet - these being Windows NT 4.0 Domains and Windows 2000 Active Directory. This paper will suggest a network architecture and installation process that can be used when the inclusion of IIS web servers in a Windows Domain cannot be avoided. Before the questions can be answered I will provide an overview of Windows Directory Services.