Hi all, I need an information for setting up a good security in my web
infrastructure.
I've got an IIS 6 dmz server that host a web site. In this web site there's
an asp page that put a file into a shared directory on a server that resides
in my backend LAN.
I create an user on the backend server named IUSR_MydmzWebServer to permit
the communication between the 2 servers.
My question is: there is a more secure way to permit the files transfer
between a DMZ front end server and a LAN Backend server?
Maybe this is a stupid question, but actually i've got no idea about this.
I only know that this way it's not the right one.

Sorry for my bad English, i hope you understand.

On 12/12/08 10:37 AM, in article
2648934E-7AE0-4B31-BDAC-DE7492493***@microsoft.com, "Markisha"
<Marki***@discussions.microsoft.com> wrote:

Markisha,

This is all a matter of personal opinion (or paranoia...). Personally I
believe that if a server in your DMZ is able to access file shares in your
secure LAN, to do so you had to open several "Microsoft Ports" in the
firewall (135-139, 445 and maybe more). If you do this, you're allowing some
very very dangerous traffic to go thru the firewall, thus severely reducing
its effectiveness. Even if you were to only create a conduit from the
specific server in the DMZ to the specific server in the secure LAN, once a
hacker gets thru the secure server, he will be in your secure LAN...

I would thus *never* allow our DMZ to have any kind of SMB/Active Directory
access to the internal network. There are many alternatives, even though
they are more complex to implement. For example:

* Use (s)FTP to transfer the files from the DMZ to the secure LAN
* Schedule a job on the internal server ont he LAN that *retrieves* files
from the server in the DMZ (many DMZ configurations allow your internal LAN
to have SMB access to the DMZ, but not viceversa)
* Use a database for your application to store binary data, not files.
* Use a file replication utility (ex. Sure Sync) that will be able to
retrieve files in the DMZ from your internal server in real-time (a pull,
not a push).

Hi Roberto (Ciao, sono italiano anche io.)

I completely agree with you and i share your kind of paranoia.
I have this problem because i don't know how to teach this important
security related question to my company's developer team! I tried for 3
years!!!
They still continue to develop small programs that needs to transfer any
kind of file between the 2 servers (front-end/back-end)!
Those "malefic" programs are needed for the correct working of our main web
applications used by our customers!!! It's the 80% of our business!!!
I've already ask to the developers to use the ftp way and also the sql one,
but with no success.
Now i will check the SureSync utilities... I hope this should be a solution.

I think that the bigger problem is that ours tools (running in the backend
server) are monitoring specific folders on the frontend server for the
presence of files.
That files are created by the customers when they work with our web apps and
they have different names depending from the service asked.
In relation to this naming convention the monitoring tool put the file into
a specified LAN folder for processing.
At this point the backend apps create a pdf document (we sell special
balance sheet, financial branch) that should be put into a special customer's
folder placed in the dmz server, accessible thru iis to the customer.

I think that this kind of monitoring could not be performed with FTP
protocol...

Re: Q: Digital certificate inventory within network?
Windows Authentication Access Denied Error
Web App using integrated Active Directory Authentication
Problem processing SSL certificate response.
IIS IWA no longer works after VS2008 SP1 installed
ASP can't use database on slave server
IIS Restrictions
How to use SSL host headers for multiple domains on the same serve
Certificate Types
Internal site configuration