John, What you are describing is distributed mode, and I am not surprised that an audit recommended it - most do regardless of whether it is of value or not.
The basic premise is this - any public facing box is a target, and web servers are public facing. At some level it is good practice to be a little paranoid and assume that whatever is on your web server box will get hacked and/or stolen. So, if you do buy that premise, than anything important should not be on the web server. (incidentally, this is my primary objection to the use of Access, but that is a separate discussion). That includes source code, database connections, passwords, and more. Is there value in this? Possibly. The truth is your source code should never contain passwords or important things like that anyway. But access to databases? Yep, that's a valid concern. Is there a downside? Yes. There are performance implications in separating your application server from your web server, regardless of which application server it is. Some are of the opinion that you should not separate CF from IIS (in your scenario), rather, keep them coupled but inside your firewall. Then have a proxy server outside and only allow it to get to the internal server. But as to whether or not that is good or bad, that is a debate unto itself. --- Ben -----Original Message----- From: Venable, John [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2003 11:10 AM To: CF-Talk Subject: Separating IIS from CF We just had a security audit and one of the recommendations was to separate Cold Fusion and IIS onto two separate systems. I hadn't heard of doing this, and am really wary of doing this since we are using Commonspot and I have no idea what ramifications would result. Their reasoning for this was pretty vague, so can anyone give me reasons why we should and shouldn't do this? The motivation in this particular case being improved security. Thanks John --- John Venable Director of Web Architecture Epilepsy Foundation ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
