Re: Moving webserver inside firewall
From: Karl Westerholm [MS] (karlwestonline@microsoft.com)
Date: 07/06/02
- Next message: Karl Westerholm [MS]: "RE: Multiple entries of the same user under "Current Sessions""
- Previous message: Karl Westerholm [MS]: "Re: unwanted pw prompt downloading files"
- In reply to: x y: "Re: Moving webserver inside firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: karlwestonline@microsoft.com (Karl Westerholm [MS]) Date: Fri, 05 Jul 2002 23:21:26 GMT
Greetings,
The steps suggested in the earlier response all seem to be good ones.
As has been mentioned previously, the only way to 100% gaurentee a
machine has not been compromised is to reformat it from scratch (from known
clean, i.e. original CD media) and then follow the installation with all
current OS/Product Service Packs, security patches, security tools, virus
scans, and finally the restoration of data.
At least, in the case of FrontPage webs, one can simply import the webs
desired into a FP client & then republish them to a newly-built & hardened
server.
As far as best practices generally, I would definitely recommend
detailed examination of our http://www.microsoft.com/security site. You
will find info on all aspects of security, links to all known
vulnerabilities (as well as links to patches to fix them) along with
articles/whitepapers/tools/etc.
Here are a few more targeted links for you:
IIS Security in general:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bestprac/mcswebbp.asp
IIS Security Checklist (very specific)
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
tools/chklist/iis5chk.asp
IIS Lockdown tool + URLScan (highly recommended)
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=33961
Baseline Security Analyzer (Wizard to check existing patch level + security)
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
tools/Tools/MBSAhome.asp
Regards,
-->Karl
“Please do not send email directly to this alias. This is our online
account name for newsgroup participation only.”
This posting is provided “AS IS” with no warranties, and confers no rights.
You assume all risk for your use. © 2001 Microsoft Corporation. All rights
reserved.
--------------------
| From: "x y" <jamescagney90210@excite.com>
| References: <1462701c221c4$58e9f730$9be62ecf@tkmsftngxa03>
| Subject: Re: Moving webserver inside firewall
| Date: Tue, 2 Jul 2002 13:49:05 -0400
| Lines: 69
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 5.00.2919.6700
| X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700
| Message-ID: <uri77LfICHA.2472@tkmsftngp11>
| Newsgroups: microsoft.public.inetserver.iis.security
| NNTP-Posting-Host: 67.201.184.142
| Path: cpmsftngxa07!tkmsftngp01!tkmsftngp11
| Xref: cpmsftngxa07 microsoft.public.inetserver.iis.security:8150
| X-Tomcat-NG: microsoft.public.inetserver.iis.security
|
| I think inside the firewall is the best place for most any server. I
would
| have some concern that the machine may already be compromised since it has
| been outside your firewall. If it is compromised, bringing it inside may
| put your internal machines at risk, unless maybe you use a DMZ such as a
| second firewall or a third interface in your firewall to create an
isolated
| network.
|
| The only way to be 100% sure the web server is not compromised is to
format
| and reinstall windows, or build a replacement server. If that does not
work
| for you, you could read the book Incident Response and maybe Hacking
Exposed
| 3rd Edition to see some ways you might try to check for obvious signs
| [though this is not foolproof]. Installing a personal firewall such as
| Sygate [free for noncommercial use] on the web server is another
inexpensive
| way to attempt to see if the machine is compromised.
|
| Definitely be sure you have secured windows and IIS on the server using
the
| steps at www.microsoft.com/security including IISlockdown with URLscan,
| installing all security patches, etc. Note that these steps do not
| necessarily secure a machine that has already been compromised.
|
| If security is important and you don't have all the security answers
| yourself or the means to find them, a consultant you can trust is a good
| idea.
|
| SSL is useful for protecting data flow across the internet from being
| captured and read [most notably passwords, if users are forced to log in].
| For outside users to log in, it is common to use basic authentication
[which
| passes the passwords as easily readable text] as windows integrated
| authentication has issues with firewalls and non-microsoft clients. If
| you're concerned about that, it may be a way to go, but it either costs
| money or takes some effort to install. www.iisfaq.com/ssl will answer
some
| questions. Another alternative is to use your firewall as a VPN server
[if
| it has that capability] and have outside users VPN into your firewall to
| access your internal network with an encrypted connection, assuming you
| trust your outside users this much.
|
| Once the web server is inside the firewall, you open up ports especially
TCP
| port 80 and 443 for SSL from the internet to the internal web server to
| allow access. If the web server authenticates users using a server that
is
| outside the firewall [which is not the usual setup], you may need to open
| more ports or move your authentication server.
|
| I'm probably leaving a lot of stuff out. Also consider antivirus on the
| server such as norton that is set to download updates every day, and a
file
| checking software such as languard file integrity checker from www.gfi.com
| which is free.
|
| "Mike Halverson" <mhalverson@owatonna.k12.mn.us> wrote in message
| news:1462701c221c4$58e9f730$9be62ecf@tkmsftngxa03...
| > Good Morning
| >
| > I would like suggestions on an issue. I have a web server
| > in s school district outside the firewall currently. I
| > only have about 6 users publishing FrontPage webs to it.
| > Those users are all built separately on the outside web
| > server. That web server is not part of our internal
| > domain.
| >
| > I am trying to figure out if it is safe to bring the
| > outside web server inside? And if it is safe what other
| > security measures should I be taking (SSL?). Should I
| > keep it outside the firewall? And if I keep it outside,
| > how can I connect inside so I am not having to rebuild
| > users permissions and username on each side?
| >
| > Thanks
| >
|
|
|
- Next message: Karl Westerholm [MS]: "RE: Multiple entries of the same user under "Current Sessions""
- Previous message: Karl Westerholm [MS]: "Re: unwanted pw prompt downloading files"
- In reply to: x y: "Re: Moving webserver inside firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
