Point taken. And thanks. I don't really consider IIS all that insecure, anymore. There are a lot of Small Business Servers out there, for example.
I'm only saying there are better reasons not to put SUS on a DC other than the use of IIS. I mean, Windows is a 'known problem'. Carry on. William Lefkovics eEye Digital Security http://www.eeye.com/html/Products/SecureIIS/index.html -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Saturday, September 20, 2003 6:23 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now William, Let me clarify myself: I don't FEAR IIS on a DC. Just from a security perspective, I don't think it's smart. I don't see any reason to put a known problem on my domain's authentication source, among other things. Now, I might change my mind if we're talking about IIS 6.0, but likely not. Least privilege access. IIS is not needed on a DC, and is not part of what a DC needs to do what it is designed for. But, that's just me. Wonderful thing about freedom - each is free to do whatever he wants. As long as it doesn't impede on the freedom of others, have at it. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of William Lefkovics Sent: Saturday, September 20, 2003 8:01 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now I agree with that premise of no SUS on a DC, though I have no fear of IIS on a DC. Domain controllers are special and should not get auto-anything in terms of updates or other changes. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Saturday, September 20, 2003 11:39 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now Raymond, Good question - I hope that I can provide a good answer. I would NOT suggest or recommend deploying SUS to a DC for one simple reason: It requires IIS, and for security purposes, I will not deploy IIS onto a domain controller - which clearly dismisses a DC from hosting SUS IMHO. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
