Microsoft SQL and IIS on the same server

[morganlefay]

I think what we are all getting at here...

It really depends on what hardware you are using, how many users and what processes will be running....

What kind of data is going to be made public....all the SQL data...or just some of it. If it is just some of it...consider having the main data on a seperate machine....and table import the data needed to be made public...replicate back and forth if needed.

I am running a SQL database...and importing and updating data has been so far...painless...all depends on how many records etc

TS has a great point about seperating them...makes it harder to compromise 2 systems...and hopefully easier to detect....make them jump through some hoops

MLF

[Tiger Shark]

and maybe easier to detect

Much..... with both servers in a DMZ alone with eachother:-

Ruleset start

Alert tcp IIS_SERVER any -> SQL_SERVER !1433 (msg: Someone is on my IIS Server, (TCP)"; classtype: bad-unknown;)
Alert udp IIS_SERVER any -> SQL_SERVER any (msg: Someone is on my IIS Server, (UDP)"; classtype: bad-unknown;)

include ms-sql.rules

Ruleset end

Very oversimplified - but you get the point.... ;)

[HTRegz]

Hey Hey,

Here's my line of thinking on this.

It would be nice if every major service you were running had it's own machine... That's everyone's dream... however it's not always reality..

I've got 2 servers... and let's just say I've got more than two uses for those servers..

Server 1 - 1 x 2.4Ghz Xeon Processor, 2GB RAM, SCSI Drives... It's running... AD, IIS, Exchange, SQL 2000.

Server 2 - 2 x 1Ghz P3, 648MB RAM, SCSI OS Drive, SATA Storage Drives.... File and Print Server... (Which also means running services for mac)

While the server is bogged down... it runs stable... The $1200 for a new server with the required specs just isn't feasible at this time (or so I'm told)...

I'm slowly learning that with smaller companies... it's not the mentality of security and stability... it's the mentality of "if it works.. it works... that's all that matters"..

Even if we were to get another server it'd still be IIS and SQL 2000 on the server... Mostly because I don't like my AD being the public machine... Either that or it'd be AD and SQL in the back with IIS and Exchange in the front...

Anyways... this sums up into... get as many individual servers as they'll allow you (or you can afford) and seperate your services... but in the end... as long as you're careful the software tends to play fairly well together and one server can multitask as needed.

Peace,
HT

[Tiger Shark]

EEK.... HT.... You are breaking the biggest rule.... IIS and AD on the same box... assuming that this is your domain's AD and it is publicly available.

Go find that crappy old workstation that will only just run Win2k server. Fire it up in a DMZ and have it run IIS. Have it receive SMTP and forward any mail to the Exchange Server on the private network. The only access to the Exchange Server from the public networm _might_ be SSL for OWA. Run your web site(s) out there too.

If you need the SQL server to server data to the IIS server bring it inside, (since it is also your AD), and only allow 1433 from IIS box to SQL box from the DMZ. That's a more secure stance than you have right now.

Two of my public machines are old PII/266 laptops - one of which has a broken screen so it has to be TS'ed to to administer it. They only serve secondary DNS and one serves as a backup SMTP server. They work fine.

If you allow any DNS resolution in to server one you need to be very careful since the server is an AD server you could leak all your private network structure out to the public network. You need to split that DNS if you do allow DNS queries in.

[HTRegz]

Hey Hey,

I'm breaking tons of rules... unforunately their last administrator had a Programming Degree... which is better than a 3 year diploma in system administration and networking.. especially when you're doing system administration... He spent 3 years here (lucked into the job initially) and has now moved on with a 4 year programming degree and 3 years of sysadmin under his belt.. and left me with this mess.

They don't believe in spending money on IT... (although I did get around 4000 when I started for upgrades... however there were more pressing matters than another server or security... at least in their mind)....

I've got an old machine here... It has to be fired up in the next bit just to see what's on it... and if I can do anything with it.... if I can get it working then I'll put it to work... However because of the software we run we're rather limited in what we can do...

We run Advertising Firm/Marketing Management software... we pay a monthly fee for it... It requires SQL and IIS on the same box.. (not sure why the same box... but hell I wasn't even allowed to install it.. had to give them remote access to do it)... It also has to be live on the internet for their billing server to run queries and access certain pages so they can charge us accordingly...

Also.... All I've got to work with as far as networking equipment goes is a 4-port linksys router (Firmware circa June 2001) and a couple of random SMC/DLink hubs and switches... nothing I can really use to manage anything...

My Actual goal is to take the one spare box I have.... and get two NICs for it... running it with a firewall distro in between the internet connection and the router... We will randomly lose our connection on weekends because our ISP does montly reboots and our linksys will only try to reconnect 3 times before giving up and saying failure... So I'd like to have linux establishing our connection and serving the router... or just the network (Eliminate the router completely)...

However... I'm applying several places over the course of this week.... I'm tired of the work I do for the limited pay I get... so we'll see if I actually get anything accomplished.

Peace,
HT

[Tiger Shark]

J00 FuX0r3d...

[HTRegz]

Originally posted here by Tiger Shark
J00 FuX0r3d...

Already know that

[uncled]

Indeed, the decision on whether or not to put IIS and SQL on the same server comes down to a number of factors, the biggest probably being cost (dollars) and the criticality of the application/data.

No doubt industry best practices call for physical separation. At my company we have a firewall in between the web server and backend database and only allow ODBC through. If you assume that your IIS server will get compromised at some point (a safe assumption!), it then becomes a question of how important the data is sitting in the database. If you don't care much about the data, by all means put it on the same server. But if the data has value, you may consider firewalling the connectivity.

- Uncle D