From: Ellen K. 

Well, the only thing I can think of in response is that a hypothetical
malicious employee would be more likely to know something about IIS than
about SQL Server... but since you're saying it doesn't matter which box
it's on then I guess that's irrelevant.

On Fri, 18 Feb 2005 08:02:24 -0500, Mike N. 
wrote in message :

>On Thu, 17 Feb 2005 23:38:53 -0800, Ellen K. 
>wrote:
>
>> I don't like the idea of IIS
>>and SQL Server on the same box, even if it's only internal...  If I'm
>>wrong, please beat me up, but if I'm not wrong, please help me out with
>>some specific ammunition.
>
>  There are several viewpoints -
>     Assuming that it is easier to break into a poorly or mis-configured
>IIS site than SQL Server, the IIS code has the same rights to the SQL data
>whether it's on the same or different server.    [No difference]
>
>   The other half is that it becomes slightly easier to interrogate the
>registry, filesystem, etc on the SQL server system, assuming that they can
>gain control over the IIS site. [Very slightly less secure]
>
>

--- BBBS/NT v4.01 Flag-5