RE: Options for securing a Public Webserver and Private Intranet on same server.

From: Andrew van der Stock (ajv@e-secure.com.au)
Date: 08/28/01 

From: "Andrew van der Stock" <ajv@e-secure.com.au>
To: <Jonathon.Kalaugher@sbg-ap.com>
Subject: RE: Options for securing a Public Webserver and Private Intranet on same server.
Date: Tue, 28 Aug 2001 11:54:54 +1000
Message-ID: <GLEMLPDJLNNLKLDLMOJEAEAJCCAA.ajv@e-secure.com.au>

First off, you don't state what the value of the Intranet server is. What is
the impact if people from the Internet can see it? What if they change it?
You should try to answer these questions, as it will reflect what path you
choose when it comes to securing the server.

IIS has a long and colorful exploit history, and I don't see this abating
any time soon. If IIS exploits were few and far between, I would recommend
using the virtual hosts feature (using different IP addresses rather than
host headers), and allowing the firewall to restrict access based upon IP
address. However, IIS exploits of significant severity happen with regular
monotony, so I would suggest a seperate server for both functions, and
moving the Intranet server either to a separate internal "servers" zone, or
just to your internal network, depending on your network architecture and
business requirements. If it's in your Internal network, you can enforce NT
login rather than use basic digest (urgh).

In any case, you must keep your IIS servers up to date (within days of patch
release, maximum) or you will suffer server compromise.

good luck!

Andrew van der Stock, MCSE, Senior Security Architect, e-Secure Pty Ltd
"Secure in a Networked World" Phone: (03) 9699 7088 Fax: (03) 9699 7066
Suite 302, 370 St Kilda Rd Mobile: 0412 532 963
Melbourne Victoria Australia Email: ajv@e-secure.com.au
ACN 068 798 194 http://www.e-secure.com.au

-----Original Message-----
From: Jonathon.Kalaugher@sbg-ap.com
[mailto:Jonathon.Kalaugher@sbg-ap.com]
Sent: Tuesday, 28 August 2001 06:45
To: focus-ms@securityfocus.com
Subject: Options for securing a Public Webserver and Private Intranet on
same server.

Hello List,

Background:

Public Website and private Intranet running on same server behind a FW.

The Intranet is accessed via IIS/windows authentication with a "full public
access over port 80" rule on the Firewall to the server in question.

The users access the public website and enter authentication apon hitting
the corporate logon area/box to access the Intranet.

We considering the following steps...

1) Separate both onto separate servers and DMZ's
2) Still Allow full public access to both servers over ports 80/443.

Question.

1) What are the implications of having both the Website and Intranet
residing on the same server? Does the "allow all on ports 80/4443" to the
public website expose the Intranet (on the same server) to any extra
security risks?

2) Would moving the Intranet to a separate server (still accessible to
the public over port 80/443) and only allowing authenticated access to the
application stop (or somehow hinder) it being vulnerable from any IIS
exploits?.

i.e. Would the authentication prompt for Intranet access, block any
unauthorised access to the underlying IIS / Intranet?, as a user is prompted
for sign on before having access to the site.?

Or is it secure to have both the Website and Intranet running on the same
server if certain steps are taken first, as the goal is to maximise security
of the Intranet.

Thanking you all heaps in advance for any feedback at all.

JK.

Relevant Pages

  • Re: Intranet Name Resolution
    ... > In fact I have to create a HOST record for "intranet" on DNS inside the ... in order to reach my IIS server. ...
    (microsoft.public.windows.server.dns)
  • Re: Questions about W2K and IIS Server Security
    ... A side effect of "Windows File Protection" which watches over Windows files ... note that deleting iishelp is physically removing all IIS help ... when setting up this server. ... I have followed many guides to securing this server such as "From ...
    (microsoft.public.inetserver.iis)
  • Re: Windows Authentifizierung
    ... >> habe einen IIS 5 der sowohl aus dem Intranet als auch aus dem Internet ... Der Server und alle Clientsn ... Next by Date: ...
    (microsoft.public.de.inetserver.iis)
  • RE: Cannot successfully reinstall Intranet
    ... Recap of steps taken to fix Intranet ... regsvr32 "C:\Program Files\Windows for Small Business ... Change Server Tools to Maintenance ... Windows SharePoint Services intranet site should be Web Service ...
    (microsoft.public.windows.server.sbs)
  • Re: SMTP Service not functioning on IIS 5
    ... I used the FQDN of the domain because it made sense to me for an intranet ... This sites' domain in DNS is the same as our Active ... local domain go to this server. ... so what is the precise use case in which "Direct Delivery ...
    (microsoft.public.inetserver.iis.smtp_nntp)