| Groups | Blog | Home |
iis security : Recommendations for securing IIS 6.0 as a public web server
I am planning on posting our public website on IIS running under Windows
Server 2003 R2. Can anyone point me at any good sites or white papers for the best practices for securing the site for public access? I am planning on making the server a member of our corporate domain for access to it from internal, and only allowing monitored forwarded port 80 access from the public Internet to the site through our firewall. The website is only going to contain static pages and nothing confidential, so SSL won't be necessary. All recommendations are welcome. Thanks!
While what you outline is not uncommon, I would like to ask . . .
You said [quoted text, click to view] > I am planning on making the server a member of our corporate domain for > access to it from internal, What does that mean? You characterized content and lack of SSL need. This implies access, even "from internal" could just as well be unauthenticated. So, what does this mean? I often see admins make decisions that from one viewpoint are avoidable exposures of the corp net/assets because from another viewpoint the result would have operational/managerial simplicity (at least on first examination) I am just checking whether your focus is guarding/hardening the IIS system or guarding/hardening the corp domain. -- Roger Abell Microsoft MVP (Windows Server : Security) [quoted text, click to view] "Rob Gordon" <Robert.Gordon@nospam.dslextreme.com> wrote in message news:eUMlg6vzGHA.4392@TK2MSFTNGP04.phx.gbl... >I am planning on posting our public website on IIS running under Windows >Server 2003 R2. Can anyone point me at any good sites or white papers for >the best practices for securing the site for public access? I am planning >on making the server a member of our corporate domain for access to it from >internal, and only allowing monitored forwarded port 80 access from the >public Internet to the site through our firewall. > > The website is only going to contain static pages and nothing > confidential, so SSL won't be necessary. > > All recommendations are welcome. Thanks! >
I was planning on making the server a member of our internal Windows
corporate AD domain. Unless the more security minded approach is to make the server a stand alone, so that if it becomes compromised no further actions can be taken against the internal Windows AD domain. I would be interested in hardening both IIS, and doing the most security minded method for keeping the internal domain safe as well. Regards, Rob Gordon [quoted text, click to view] "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message news:OMJzEuwzGHA.4796@TK2MSFTNGP06.phx.gbl... > While what you outline is not uncommon, I would like to ask . . . > > You said >> I am planning on making the server a member of our corporate domain for >> access to it from internal, > > What does that mean? > > You characterized content and lack of SSL need. This implies > access, even "from internal" could just as well be unauthenticated. > So, what does this mean? > > I often see admins make decisions that from one viewpoint are > avoidable exposures of the corp net/assets because from another > viewpoint the result would have operational/managerial simplicity > (at least on first examination) > > I am just checking whether your focus is guarding/hardening the > IIS system or guarding/hardening the corp domain. > > -- > Roger Abell > Microsoft MVP (Windows Server : Security) > > "Rob Gordon" <Robert.Gordon@nospam.dslextreme.com> wrote in message > news:eUMlg6vzGHA.4392@TK2MSFTNGP04.phx.gbl... >>I am planning on posting our public website on IIS running under Windows >>Server 2003 R2. Can anyone point me at any good sites or white papers >>for the best practices for securing the site for public access? I am >>planning on making the server a member of our corporate domain for access >>to it from internal, and only allowing monitored forwarded port 80 access >>from the public Internet to the site through our firewall. >> >> The website is only going to contain static pages and nothing >> confidential, so SSL won't be necessary. >> >> All recommendations are welcome. Thanks! >> > >
[quoted text, click to view]
"Rob Gordon" <Robert.Gordon@nospam.dslextreme.com> wrote in message news:%23DwzO6xzGHA.4648@TK2MSFTNGP04.phx.gbl... >I was planning on making the server a member of our internal Windows >corporate AD domain. why? [quoted text, click to view] > Unless the more security minded approach is to make the server a stand > alone, so that if it becomes compromised no further actions can be taken > against the internal Windows AD domain. > that is ipso facto more defensive. but is there a need to do otherwise? i.e. Why? [quoted text, click to view] > I would be interested in hardening both IIS, and doing the most security > minded method for keeping the internal domain safe as well. > > Regards, > > Rob Gordon > > > "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message > news:OMJzEuwzGHA.4796@TK2MSFTNGP06.phx.gbl... >> While what you outline is not uncommon, I would like to ask . . . >> >> You said >>> I am planning on making the server a member of our corporate domain for >>> access to it from internal, >> >> What does that mean? >> >> You characterized content and lack of SSL need. This implies >> access, even "from internal" could just as well be unauthenticated. >> So, what does this mean? >> >> I often see admins make decisions that from one viewpoint are >> avoidable exposures of the corp net/assets because from another >> viewpoint the result would have operational/managerial simplicity >> (at least on first examination) >> >> I am just checking whether your focus is guarding/hardening the >> IIS system or guarding/hardening the corp domain. >> >> -- >> Roger Abell >> Microsoft MVP (Windows Server : Security) >> >> "Rob Gordon" <Robert.Gordon@nospam.dslextreme.com> wrote in message >> news:eUMlg6vzGHA.4392@TK2MSFTNGP04.phx.gbl... >>>I am planning on posting our public website on IIS running under Windows >>>Server 2003 R2. Can anyone point me at any good sites or white papers >>>for the best practices for securing the site for public access? I am >>>planning on making the server a member of our corporate domain for access >>>to it from internal, and only allowing monitored forwarded port 80 access >>>from the public Internet to the site through our firewall. >>> >>> The website is only going to contain static pages and nothing >>> confidential, so SSL won't be necessary. >>> >>> All recommendations are welcome. Thanks! >>> >> >> > >
Hi Rob:
Best practices are the following: 1. Get a firewall that allows you to set up a LAN (internal) and a DMZ (external). 2. Get at a minimum two boxes (servers): one for the outside on the DMZ serving the web pages, and one internal serving the corporate requirements on the LAN. You can get fancier by having two boxes on the DMZ, one with IIS serving the pages, and one holding the SQL databases. Your internal requirements/ servers, you already have/know. 3. Set up 2 domains: one internal and one external. 4. Get a copy of PC anywhere corporate edition and set it up on the web server and the development server/workstation on the LAN. 5. Keep a copy of the website(s) on a server/ workstationon the LAN and perform all website updates on this server/ workstation, then when you are ready, upload all changes to the web server on the DMZ using PC anywhere. This setup keeps all outside stuff on the DMZ and all internal stuff on the LAN, and unless you set up a trust relationship between the domains, you have a pretty secure setup. medman
As to why? I have about 30 folks who work on webpages on my web server.
Making it part of the domain makes permission much easier. Perhaps that's why he might want it part of the domain. [quoted text, click to view] Roger Abell [MVP] wrote:
> "Rob Gordon" <Robert.Gordon@nospam.dslextreme.com> wrote in message > news:%23DwzO6xzGHA.4648@TK2MSFTNGP04.phx.gbl... >> I was planning on making the server a member of our internal Windows >> corporate AD domain. > > why? > >> Unless the more security minded approach is to make the server a stand >> alone, so that if it becomes compromised no further actions can be taken >> against the internal Windows AD domain. >> > > that is ipso facto more defensive. > but is there a need to do otherwise? i.e. Why? > >> I would be interested in hardening both IIS, and doing the most security >> minded method for keeping the internal domain safe as well. >> >> Regards, >> >> Rob Gordon >> >> >> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message >> news:OMJzEuwzGHA.4796@TK2MSFTNGP06.phx.gbl... >>> While what you outline is not uncommon, I would like to ask . . . >>> >>> You said >>>> I am planning on making the server a member of our corporate domain for >>>> access to it from internal, >>> What does that mean? >>> >>> You characterized content and lack of SSL need. This implies >>> access, even "from internal" could just as well be unauthenticated. >>> So, what does this mean? >>> >>> I often see admins make decisions that from one viewpoint are >>> avoidable exposures of the corp net/assets because from another >>> viewpoint the result would have operational/managerial simplicity >>> (at least on first examination) >>> >>> I am just checking whether your focus is guarding/hardening the >>> IIS system or guarding/hardening the corp domain. >>> >>> -- >>> Roger Abell >>> Microsoft MVP (Windows Server : Security) >>> >>> "Rob Gordon" <Robert.Gordon@nospam.dslextreme.com> wrote in message >>> news:eUMlg6vzGHA.4392@TK2MSFTNGP04.phx.gbl... >>>> I am planning on posting our public website on IIS running under Windows >>>> Server 2003 R2. Can anyone point me at any good sites or white papers >>>> for the best practices for securing the site for public access? I am >>>> planning on making the server a member of our corporate domain for access >>>> to it from internal, and only allowing monitored forwarded port 80 access >>> >from the public Internet to the site through our firewall. >>>> The website is only going to contain static pages and nothing >>>> confidential, so SSL won't be necessary. >>>> >>>> All recommendations are welcome. Thanks! >>>> >>> >> >
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |