Re: ZoneAlarm and IIS
From: Leythos (void_at_nowhere.com)
Date: 07/02/04
- Next message: Jeffrey Morse: "Sygate Pro 2577 upgrade installer corrupted?"
- Previous message: Barry: "Re: sonicwall pro 3060 / di-604"
- In reply to: Duane Arnold: "Re: ZoneAlarm and IIS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 01 Jul 2004 22:28:38 GMT
In article <Xns9519B1D7E8B20notmenotmecoml@204.127.199.17>,
notme@notme.com says...
> Leythos <void@nowhere.com> wrote in
> news:MPG.1b4e0bde2361c86698a710@news-server.columbus.rr.com:
>
> > In article <Xns9519755A0CD58notmenotmecoml@63.240.76.16>,
> > notme@notme.com says...
> >> As far as IIS and development, you cannot lock IIS down as you'll not
> >> be able to do Web development work. That IIS should not be exposed to
> >> the public.
> >
> > Duane, if I understand this, you are saying that you can't develop IIS
> > sites and still have IIS secure/locked down?
>
> > It's simply not true, with more than 100 IIS servers running across
> > the nation that I have access to, not one of them has every been
> > compromised, all are secured/locked down, and all of them permit
> > developers to push new updates out to them.
>
> I am only saying this from my standpoint of a developer doing work in a
> home network environment. In order to get the MCSD .NET solutions which
> the portion I am training for at this time ASP.NET and VB.NET, I had to
> unlock IIS which I had previously locked down.
>
> I would expect the *public* WEB site server to be secured and locked down
> with absolutely no development work being done on it. The final Web
> solution that has been developed should be pushed to the *public* site
> server.
>
> I think in a development situation in a home networking environment and
> from my standpoint, IIS cannot be locked down and must be in a secure
> closed environment.
>
> What I am saying is that Web developers doing development work at home
> with a WEB server running should be in a secured and closed environment
> and any exposing of a Website development to the public should be
> pushed/uploaded to Web Hosting service provider not opening IIS to the
> public as most don't know how to secure IIS and the O/S properly and are
> getting *hacked* to death.
Duane, I setup a development center where every IIS server was exposed
to the internet on many IP's. The firewalls was set to forward each IP
to a select server (some times we had 10 IP forwarded to 10 IP on the
same server). In all that time, with the developers pushing out code,
and sometimes developing on the server, we never had one problem. We
also ran server class AV software on every server.
Now, we did patch everything, never installed a site in the root install
location, locked down cmd.exe and many others, and we blocked all
foreign subnets (as many as we could identify).
Now, for the developer running IIS on his PC or a mock-server, unless he
knows enough to patch it, run AV software on it, and to only forward
80/443 to it then, yes, he's going to get hacked.
I design networks, and I have many servers in my home, most of them
running IIS and exposed to my public IP's - most of them sit in my DMZ
(separate network), but none of them have been compromised, and I
develop on them all the time.
-- -- spamfree999@rrohio.com (Remove 999 to reply to me)
- Next message: Jeffrey Morse: "Sygate Pro 2577 upgrade installer corrupted?"
- Previous message: Barry: "Re: sonicwall pro 3060 / di-604"
- In reply to: Duane Arnold: "Re: ZoneAlarm and IIS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
