[lvs-users] Single-lan config?

David Dyer-Bennet dd-b at dd-b.net
Mon Oct 13 21:39:33 BST 2008


On Mon, October 13, 2008 15:23, Graeme Fowler wrote:
> On Mon, 2008-10-13 at 15:13 -0500, David Dyer-Bennet wrote:
>> My desktop system is part of the corporate domain.  So are the desktops
>> of
>> the people doing Windows development.  Why would making a server part of
>> the domain be any more dangerous than that?  And that's standard
>> anywhere
>> that does Windows development.
>
> You're personally fairly unlikely to run code as a system account,
> especially when developing - you're more likely to run it as yourself.
> Of course, many developers and sysadmins make themselves admins on their
> own machines (makes installing software just *so* much more convenient
> than doing "runas") so the security arguments in those cases are
> slightly damaged anyway :)

I think "myself" is defaulting to being an admin on my desktop  --  at
least I never have any trouble installing code on this system.  (*Not* a
Windows admin expert!)

> Allowing arbitrary code (think of the mass of .NET examples out there)
> to be executed under the IIS framework is a dangerous game, especially
> (as is often the case) when it's being executed by a user with elevated
> privileges (like the Network Service user which IIRC is the default user
> for IIS code execution).
>
> This is, of course, a massive Catch-22 for hosting operations, and is
> the reason why app pools came along in IIS6 which allowed almost
> complete segregation of execution environments which themselves ran as
> non-privileged users. Much tidier than it used to be.

Yep, hosting gets complicated, that's for sure!

> In your environment you might not be exposing the web servers to that
> nasty Intertubes thingmy, which makes security all the easier to manage.

Right, we're not.
-- 
David Dyer-Bennet, dd-b at dd-b.net; http://dd-b.net/
Snapshots: http://dd-b.net/dd-b/SnapshotAlbum/data/
Photos: http://dd-b.net/photography/gallery/
Dragaera: http://dragaera.info





More information about the lvs-users mailing list