RE: Options for securing a Public Webserver and Private Intranet on same server.

From: Chris Eidem (jceidem@dexma.com)
Date: 08/28/01 

Subject: RE: Options for securing a Public Webserver and Private Intranet on same server.
Date: Tue, 28 Aug 2001 08:49:47 -0500
Message-ID: <B83445050D0D6B4BAD2801F1585F9D6E036ABF@xmail1.Dexma.com>
From: "Chris Eidem" <jceidem@dexma.com>
To: <focus-ms@securityfocus.com>

Jonathon:

> Public Website and private Intranet running on same server
> behind a FW.

Generally a bad idea. If you don't want to give the public the
possibility of seeing the intranet site, don't put it on a publicly
accessable website.

>

... snippage ...

> Question.
>
> 1) What are the implications of having both the Website
> and Intranet
> residing on the same server? Does the "allow all on ports
> 80/4443" to the
> public website expose the Intranet (on the same server) to any extra
> security risks?
>

If someone gets to the server, they have access to all the files on it,
so password authentication of any sort is useless at that point. If you
have stuff you don't want the public to see, put it on a private
network.

> 2) Would moving the Intranet to a separate server (still
> accessible to
> the public over port 80/443) and only allowing authenticated
> access to the
> application stop (or somehow hinder) it being vulnerable from any IIS
> exploits?.
>
> i.e. Would the authentication prompt for Intranet access, block any
> unauthorised access to the underlying IIS / Intranet?, as a
> user is prompted
> for sign on before having access to the site.?
>

Code Red didn't ask for permission to wipe its feet on idq.dll.
Permissions don't help when the OS is insecure. Put your intranet stuff
on the inside.

> Or is it secure to have both the Website and Intranet running
> on the same
> server if certain steps are taken first, as the goal is to
> maximise security
> of the Intranet.
>

Keep the private things on private networks. Get the hint? Image how
it would look if someone used the next IIS weakness (and it's coming,
they always do...) to get to your business plans, internal phone
numbers, financials, whatever. This is one of the first things you
should think about, don't put your Quicken files on a computer where
there is a real (non-RFC 1918) IP, where there is no firewall or where
there are Outlook access. Lock it up out of sight and out of reach.

Sorry to be redundant, but this is a lesson *few* seem to get the first
time...

Chris

Relevant Pages

  • RE: Cannot successfully reinstall Intranet
    ... Recap of steps taken to fix Intranet ... regsvr32 "C:\Program Files\Windows for Small Business ... Change Server Tools to Maintenance ... Windows SharePoint Services intranet site should be Web Service ...
    (microsoft.public.windows.server.sbs)
  • Options for securing a Public Webserver and Private Intranet on s ame server.
    ... Options for securing a Public Webserver and Private Intranet on s ame server. ... Public Website and private Intranet running on same server behind a FW. ... server if certain steps are taken first, as the goal is to maximise security ...
    (Focus-Microsoft)
  • Re: SMTP Service not functioning on IIS 5
    ... I used the FQDN of the domain because it made sense to me for an intranet ... This sites' domain in DNS is the same as our Active ... local domain go to this server. ... so what is the precise use case in which "Direct Delivery ...
    (microsoft.public.inetserver.iis.smtp_nntp)
  • RE: companyweb
    ... intranet site and the intranet link doesn't go anywhere. ... Select Windows Small Business Server 2003 and then ... >Tools to Maintenance, change Intranet component to ... >(SHAREPOINT) and then click Remove. ...
    (microsoft.public.windows.server.sbs)
  • RE: Options for securing a Public Webserver and Private Intranet on same server.
    ... Options for securing a Public Webserver and Private Intranet on same server. ...
    (Focus-Microsoft)