I work for a small organization within the government. We maintain our own Windows Server 2003 web server on the the govt. DMZ. We have to migrate to Windows Server 2008 or 2012 by July. Additionally, I'm rebuilding the website with .Net which will now utilize an SQL Server database instead of MS Access.
I have read it's not the best idea to have both IIS and SQL Server on the same box, especially one exposed to the world. Due to budget and politics, we are looking at one server only. Our existing server can not be upgraded; it doesn't meet the minimum requirements for Windows Server 2008+.
I currently working on a configuration for a new server and I'm considering running SQL Server on a virtual machine, while IIS runs on the host itself.
What are my security concerns with this setup? Is it possible for a hacker to steal my VM and gain complete access? None of the data will be classified, as it's all accessible via our public website.
EDIT – Adding Server Specifications
Dell PowerEdge T430 Tower (FT430)
- 2 x Intel Xeon E5-2620 v3 2.5GHz, 15M cache
- 8 x 8GB RDIMM, 2133MT/s, Dual Rank x8 Data Width
- PERC H730 RAID Controller (will use RAID 5)
- 4 x 600GB 15K SAS 2.5in Hot Plug HDDs
- OnBoard Broadcom 5720 Dual Port 1Gb LOM
- Dual, Hotplug,Redundant Power Supply (1+1),495W
Best Answer
Not really knowing what server you are actually looking at we can only guess.
Adding to what GregL and Jim B said.
My guess is you're migrating from Server 2003 Standard, IIS 6.5, Access 2007 using ASP classic code pages connecting via OLEDB static. You might be planning on importing your Access using Upsizing Wizard (which kind of works most of the time) or you might try the 32bit app Import/Export.
For your new setup I'm thinking, MS Server 2012 Standard that is licensed for 1 physical and 2 virtual installs. That would offer you the option of running SQL and IIS independently in different VM's. But, that might not be the best approach in your case.
DO NOT: run public applications from a hyper-V HOST OS. I would also suggest not to enable RDP on the HOST. Think of the host as the power cord to your server. If it breaks, you'll need to be onsite to fix it.
YOU CAN: install IIS in a Virtual Machine > Memory depends your code code, if you run ASP classic or .Net
YOU CAN: install MS SQL in a Virtual Machine > Size of your VM depends on your Edition of MS SQL. Express versions offer up to 10GB of total overhead with data (Compare Editions).
Plan your server as you see it 7 years from now. Example: Virtual Server Drive Size day one, 128Gb, year 5 1.5TB, planned 3TB.
IIS 7.5 and above does work very well in a Virtual Environment. Running MS SQL Express designed for your OS in your virtual environment is also good. The idea behind it all is to be able to run more from a single physical server than before. If it runs in a stand alone install it should be just find in a virtual install. Excluding Datacenter versions that profit from using all physically attached devices and memory. Having both IIS and SQL Express on the same VM reduces my admin time by not having to watch a second server. Unless you're planning on running a Datacenter version, then you want it on it's own physical machine.
Here are some numbers off of my Server 2008 R2 Standard. CPU 3.3Ghz, 8 core, 1 Physical 1 Virtual Windows servers, 2 Virtual Ubuntu Servers, 2 Win8 Virtual Desktops, 2 Win7 Virtual Desktops.
IIS = 3.4Gb (27 IIS www sites, 3 ASP Classic 24 .Net)
2008 SQL Express = 1.14Gb (28 dbs active)
OS 2008 R2 VM = < 2Gb
Total Memory 10Gb never has used it all.
Your 64Gb memory machine will be nice but take your real numbers and tune your system to match plus 20% or what the OS recommends.
Regarding the hackers, they do exist, but so do scripts. Plan your system recovery as if you're planning on being hacked every night. And practice your recovery process until it's perfect then when it's needed it will actually work.