|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Recommendations for securing IIS 6.0 as a public web serverI am planning on posting our public website on IIS running under Windows
Server 2003 R2. Can anyone point me at any good sites or white papers for the best practices for securing the site for public access? I am planning on making the server a member of our corporate domain for access to it from internal, and only allowing monitored forwarded port 80 access from the public Internet to the site through our firewall. The website is only going to contain static pages and nothing confidential, so SSL won't be necessary. All recommendations are welcome. Thanks! While what you outline is not uncommon, I would like to ask . . .
You said > I am planning on making the server a member of our corporate domain for What does that mean?> access to it from internal, You characterized content and lack of SSL need. This implies access, even "from internal" could just as well be unauthenticated. So, what does this mean? I often see admins make decisions that from one viewpoint are avoidable exposures of the corp net/assets because from another viewpoint the result would have operational/managerial simplicity (at least on first examination) I am just checking whether your focus is guarding/hardening the IIS system or guarding/hardening the corp domain. -- Show quoteHide quoteRoger Abell Microsoft MVP (Windows Server : Security) "Rob Gordon" <Robert.Gordon@nospam.dslextreme.com> wrote in message news:eUMlg6vzGHA.4392@TK2MSFTNGP04.phx.gbl... >I am planning on posting our public website on IIS running under Windows >Server 2003 R2. Can anyone point me at any good sites or white papers for >the best practices for securing the site for public access? I am planning >on making the server a member of our corporate domain for access to it from >internal, and only allowing monitored forwarded port 80 access from the >public Internet to the site through our firewall. > > The website is only going to contain static pages and nothing > confidential, so SSL won't be necessary. > > All recommendations are welcome. Thanks! > I was planning on making the server a member of our internal Windows
corporate AD domain. Unless the more security minded approach is to make the server a stand alone, so that if it becomes compromised no further actions can be taken against the internal Windows AD domain. I would be interested in hardening both IIS, and doing the most security minded method for keeping the internal domain safe as well. Regards, Rob Gordon Show quoteHide quote "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message news:OMJzEuwzGHA.4796@TK2MSFTNGP06.phx.gbl... > While what you outline is not uncommon, I would like to ask . . . > > You said >> I am planning on making the server a member of our corporate domain for >> access to it from internal, > > What does that mean? > > You characterized content and lack of SSL need. This implies > access, even "from internal" could just as well be unauthenticated. > So, what does this mean? > > I often see admins make decisions that from one viewpoint are > avoidable exposures of the corp net/assets because from another > viewpoint the result would have operational/managerial simplicity > (at least on first examination) > > I am just checking whether your focus is guarding/hardening the > IIS system or guarding/hardening the corp domain. > > -- > Roger Abell > Microsoft MVP (Windows Server : Security) > > "Rob Gordon" <Robert.Gordon@nospam.dslextreme.com> wrote in message > news:eUMlg6vzGHA.4392@TK2MSFTNGP04.phx.gbl... >>I am planning on posting our public website on IIS running under Windows >>Server 2003 R2. Can anyone point me at any good sites or white papers >>for the best practices for securing the site for public access? I am >>planning on making the server a member of our corporate domain for access >>to it from internal, and only allowing monitored forwarded port 80 access >>from the public Internet to the site through our firewall. >> >> The website is only going to contain static pages and nothing >> confidential, so SSL won't be necessary. >> >> All recommendations are welcome. Thanks! >> > > "Rob Gordon" <Robert.Gordon@nospam.dslextreme.com> wrote in message why?news:%23DwzO6xzGHA.4648@TK2MSFTNGP04.phx.gbl... >I was planning on making the server a member of our internal Windows >corporate AD domain. > Unless the more security minded approach is to make the server a stand that is ipso facto more defensive.> alone, so that if it becomes compromised no further actions can be taken > against the internal Windows AD domain. > but is there a need to do otherwise? i.e. Why? Show quoteHide quote > I would be interested in hardening both IIS, and doing the most security > minded method for keeping the internal domain safe as well. > > Regards, > > Rob Gordon > > > "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message > news:OMJzEuwzGHA.4796@TK2MSFTNGP06.phx.gbl... >> While what you outline is not uncommon, I would like to ask . . . >> >> You said >>> I am planning on making the server a member of our corporate domain for >>> access to it from internal, >> >> What does that mean? >> >> You characterized content and lack of SSL need. This implies >> access, even "from internal" could just as well be unauthenticated. >> So, what does this mean? >> >> I often see admins make decisions that from one viewpoint are >> avoidable exposures of the corp net/assets because from another >> viewpoint the result would have operational/managerial simplicity >> (at least on first examination) >> >> I am just checking whether your focus is guarding/hardening the >> IIS system or guarding/hardening the corp domain. >> >> -- >> Roger Abell >> Microsoft MVP (Windows Server : Security) >> >> "Rob Gordon" <Robert.Gordon@nospam.dslextreme.com> wrote in message >> news:eUMlg6vzGHA.4392@TK2MSFTNGP04.phx.gbl... >>>I am planning on posting our public website on IIS running under Windows >>>Server 2003 R2. Can anyone point me at any good sites or white papers >>>for the best practices for securing the site for public access? I am >>>planning on making the server a member of our corporate domain for access >>>to it from internal, and only allowing monitored forwarded port 80 access >>>from the public Internet to the site through our firewall. >>> >>> The website is only going to contain static pages and nothing >>> confidential, so SSL won't be necessary. >>> >>> All recommendations are welcome. Thanks! >>> >> >> > > As to why? I have about 30 folks who work on webpages on my web server.
Making it part of the domain makes permission much easier. Perhaps that's why he might want it part of the domain. Roger Abell [MVP] wrote: Show quoteHide quote > "Rob Gordon" <Robert.Gordon@nospam.dslextreme.com> wrote in message > news:%23DwzO6xzGHA.4648@TK2MSFTNGP04.phx.gbl... >> I was planning on making the server a member of our internal Windows >> corporate AD domain. > > why? > >> Unless the more security minded approach is to make the server a stand >> alone, so that if it becomes compromised no further actions can be taken >> against the internal Windows AD domain. >> > > that is ipso facto more defensive. > but is there a need to do otherwise? i.e. Why? > >> I would be interested in hardening both IIS, and doing the most security >> minded method for keeping the internal domain safe as well. >> >> Regards, >> >> Rob Gordon >> >> >> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message >> news:OMJzEuwzGHA.4796@TK2MSFTNGP06.phx.gbl... >>> While what you outline is not uncommon, I would like to ask . . . >>> >>> You said >>>> I am planning on making the server a member of our corporate domain for >>>> access to it from internal, >>> What does that mean? >>> >>> You characterized content and lack of SSL need. This implies >>> access, even "from internal" could just as well be unauthenticated. >>> So, what does this mean? >>> >>> I often see admins make decisions that from one viewpoint are >>> avoidable exposures of the corp net/assets because from another >>> viewpoint the result would have operational/managerial simplicity >>> (at least on first examination) >>> >>> I am just checking whether your focus is guarding/hardening the >>> IIS system or guarding/hardening the corp domain. >>> >>> -- >>> Roger Abell >>> Microsoft MVP (Windows Server : Security) >>> >>> "Rob Gordon" <Robert.Gordon@nospam.dslextreme.com> wrote in message >>> news:eUMlg6vzGHA.4392@TK2MSFTNGP04.phx.gbl... >>>> I am planning on posting our public website on IIS running under Windows >>>> Server 2003 R2. Can anyone point me at any good sites or white papers >>>> for the best practices for securing the site for public access? I am >>>> planning on making the server a member of our corporate domain for access >>>> to it from internal, and only allowing monitored forwarded port 80 access >>> >from the public Internet to the site through our firewall. >>>> The website is only going to contain static pages and nothing >>>> confidential, so SSL won't be necessary. >>>> >>>> All recommendations are welcome. Thanks! >>>> >>> >> > > Hi Rob:
Best practices are the following: 1. Get a firewall that allows you to set up a LAN (internal) and a DMZ (external). 2. Get at a minimum two boxes (servers): one for the outside on the DMZ serving the web pages, and one internal serving the corporate requirements on the LAN. You can get fancier by having two boxes on the DMZ, one with IIS serving the pages, and one holding the SQL databases. Your internal requirements/ servers, you already have/know. 3. Set up 2 domains: one internal and one external. 4. Get a copy of PC anywhere corporate edition and set it up on the web server and the development server/workstation on the LAN. 5. Keep a copy of the website(s) on a server/ workstationon the LAN and perform all website updates on this server/ workstation, then when you are ready, upload all changes to the web server on the DMZ using PC anywhere. This setup keeps all outside stuff on the DMZ and all internal stuff on the LAN, and unless you set up a trust relationship between the domains, you have a pretty secure setup. medman  
Other interesting topics
IIS Failover and CLustering or Virtual Server TEchnology?
IIS FTP server authentication via Kerberos remove users from ftp site server certificate from cert service iis6 password protected file issue Medium trust and HTTP handlers - help! Security on inetpub/wwwroot IIS Newbie question Full trust and medium trust in .net and websites Setup IIS with Client Certificates |
|||||||||||||||||||||||
