RE: Running IIS locally - advice?

From: Patrick Andry (pandry@wolverinefreight.ca)
Date: 10/01/01


Message-ID: <905B0AED03EFD411BB60000629A8D28905D444@wfsnt.wolverinefreight.ca>
From: Patrick Andry <pandry@wolverinefreight.ca>
To: focus-ms@securityfocus.com
Subject: RE: Running IIS locally - advice?
Date: Mon, 1 Oct 2001 16:41:18 -0400 

I would be hesitant to deploy such an architecture. I know it seems easy,
but you are essentially giving up control of your network. Only you should
decide what services and where they are run, and all it takes is one guy to
use his laptop as a home pc to bring down your network. I had a pc that was
brought from an employees house brought into the office and hooked into our
network, and it took me 3 days to clean out the virus infestation, remove
the games from the pc's, delete the apps that burrowed into the systems, and
respond to all the e-mail from irate sysadmins. Although none of my users
were significantly affected, their e-mail boxes were full, the network
slowed to a tenth of the speed, and my servers complained because of all of
the stress.

We had a very similar choice, and chose a VPN solution to handle the road
warriors, anything that could be put into an access database was, and they
had to call into the office and have everyone else look up info they
couldn't get to. It is more of a headache for them, but it is less of a
headache for me. If the salesman want to plug a laptop in, I give it a
quick scan, update all the virus definitions (these guys can go for a month
without having to connect), and make sure that they aren't abusing the
equipment too badly. Users are a lot more responsible if you peek at what
they do every so often.

I don't know exactly how big your IT department is, or how centrally
located, but seriously consider other alternatives. Sometimes it's best to
go out and buy a package to do what you need, even if you can create one
yourself.

-----Original Message-----
From: Majid Almassari [mailto:majid@networkingmedia.org]
Sent: Monday, October 01, 2001 1:47 PM
To: dayseizer@excite.com; focus-ms@securityfocus.com
Subject: RE: Running IIS locally - advice?

Dazed,
you bring up a very good point? You got to bring your hole security policy
into light? For example what is your ingress firewall rules? can they hit
port 80? spoofing is not the issue if they can go right through your
firewall! Let say you installed a personal firewall then why you want to use
a web server that can only be accessed from local machine?

Majid Almassari



Relevant Pages

  • Re: (preparing for)Pentesting firewall /Checkpoint box
    ... I would like to ask for your advice on something. ... penetration test soon in the enterprise and im need of that nothing ... your firewall and logging that is visible to you responds can be ... If you have more latitude to dictate network architecture than most ...
    (Pen-Test)
  • Problem Accessing Sharepoint
    ... I need some advice on accessing Sharepoint behind a firewall. ... accessing a Sharepoint portal hosted a data center but straight away got the ... ports that needs to be open to allow users in a network to access the ...
    (microsoft.public.sharepoint.portalserver)
  • RE: can ping but not browse
    ... I have stopped the firewall. ... # are safed from all (security) hazards. ... firewall/bastion host to the internet ... # internet and to an internal network, ...
    (Fedora)
  • Re: Startup programs
    ... > If you don't wish to follow all of the advice immediately, ... I will assume a "Windows" operating system is what ... If there was more than one, install ... You should at least turn on the built in firewall. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: How do I get the Windows Update icon to stop notifying me of SP2?
    ... If you don't wish to follow all of the advice immediately, ... using Windows XP "prettifications". ... If there was more than one, install them back ... You should at least turn on the built in firewall. ...
    (microsoft.public.windowsupdate)