From: "Geo" 

A malicious employee could strip the wires off his network cable and plug
them into a 120v outlet.. 

I think the main concern of having them both on the same machine should be
worms/virus hitting the machine. It doubles the chances that the database
hosting box could get infected.  OTOH, that's what backups are for since if
you separate them and one box gets hit you are still down...

Geo.

"Ellen K."  wrote in message
news:5k8c11ls7kq9elvm9ehpumvbnqq95ivujj{at}4ax.com...
> Well, the only thing I can think of in response is that a hypothetical
> malicious employee would be more likely to know something about IIS than
> about SQL Server... but since you're saying it doesn't matter which box
> it's on then I guess that's irrelevant.
>
> On Fri, 18 Feb 2005 08:02:24 -0500, Mike N. 
> wrote in message :
>
> >On Thu, 17 Feb 2005 23:38:53 -0800, Ellen K.

> >wrote:
> >
> >> I don't like the idea of IIS
> >>and SQL Server on the same box, even if it's only internal...  If I'm
> >>wrong, please beat me up, but if I'm not wrong, please help me out with
> >>some specific ammunition.
> >
> >  There are several viewpoints -
> >     Assuming that it is easier to break into a poorly or mis-configured
> >IIS site than SQL Server, the IIS code has the same rights to the SQL
data
> >whether it's on the same or different server.    [No difference]
> >
> >   The other half is that it becomes slightly easier to interrogate the
> >registry, filesystem, etc on the SQL server system, assuming that they
can
> >gain control over the IIS site. [Very slightly less secure]
> >
> >
>

--- BBBS/NT v4.01 Flag-5