Re: Is this a security issue?
From: Charles Otstot (email@example.com)
- Next message: Damir Broznic: "RDS problem"
- Previous message: Consultant®: "Re: Is this a security issue?"
- In reply to: Henry C: "Is this a security issue?"
- Next in thread: Jeff Cochran: "Re: Is this a security issue?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Charles Otstot" <firstname.lastname@example.org> Date: Thu, 3 Oct 2002 16:51:06 -0400
I'm gonna take a SWAG and assume that you're a web developer...
Following that assumption, I'll give you my take on what I perceive as your
situation (and a possible solution)...
PWS wouldn't *inherently* pose any more risk than running full-blown IIS,
*HOWEVER* one of the key pieces of maintaining web services is *risk
Firewalling is a start, but is only part of the solution. Patches, file
permissions, user permissions and a host of other variables make up the rest
of the puzzle. Perhaps from the perspective of your IT group (admittedly
echoing what is often my own perspective), developers often create websites
and web applications without sufficient regard to security. I'm guessing
your IT group is likely charged with maintaining a secure environment and
unless they can control permissions, patches, etc. for PWS, they cannot
ensure that your system will *not* be hacked and used as a jump-off point to
attack other parts of the network. Obviously, such a scenario puts the IT
group in (at best) an awkward position.
Now, the possible solution I mentioned...
How would it be received if you asked the IT group to work *with* you to
provide an IIS server (as opposed to PWS on your desktop) to house and
maintain your development sites. Ask (and if it's billable, pay) IT to
maintain the server in accordance with their standards for maintaining
production systems (perhaps allowing you some additional rights so that you
can effectively work with your application without unduly burdening IT
resources). Ask to be present during any hardening and ask for a copy of
their hardening specifications so that you can design your websites in a
manner which will ensure that everything will work under the restrictions
(It's a lot easier to work with them in the beginning than to go back and
figure out why things stop working when you go to a production platform).
Allowing IT to maintain the server will give them assurance that the system
can be safely maintained on the network.
Using a server with full-blown IIS will give you assurance that the move
from development to production can go smoothly.
Obviously, this scenario only applies if you are a developer properly
charged with creating web-based applications for IIS. If this is not the
case, I will leave you with a final thought...
these days hackers go after anything that is connected to the network.
Machine class is pretty much irrelevant. Desktops often make good
jumping-off points, particularly if there's something there that appears out
of the ordinary. PWS would *certainly* fit as "out of the ordinary" in your
organization. If a hackr did get past the firewall, he/she might well see
your system as an easy target to place tools for further network
"Henry C" <email@example.com> wrote in message
> I am running Win NT (all patches/updates) desktop behind a firewall, with
> Novel as the LAN software. I was using the optional Personal Web server
> testing some ASP pages until the IT people (who see my group as
> informed us there were security problems using PWS.
> I am looking for an objective reason why running PWS would or would not
> compromise security. Is running PWS on a desktop behind a firewall a
> security risk? Why? Talk down to me as I am alittle slow.
> My sense is that if a hacker was good enough to breach the firewall, he
> would be going after the servers and not wasting his/her talents with my