Re: Is this a security issue?

From: Charles Otstot (saries@nc.rr.com)
Date: 10/03/02


From: "Charles Otstot" <saries@nc.rr.com>
Date: Thu, 3 Oct 2002 16:51:06 -0400


Henry,

I'm gonna take a SWAG and assume that you're a web developer...
Following that assumption, I'll give you my take on what I perceive as your
situation (and a possible solution)...

PWS wouldn't *inherently* pose any more risk than running full-blown IIS,
*HOWEVER* one of the key pieces of maintaining web services is *risk
management*.

Firewalling is a start, but is only part of the solution. Patches, file
permissions, user permissions and a host of other variables make up the rest
of the puzzle. Perhaps from the perspective of your IT group (admittedly
echoing what is often my own perspective), developers often create websites
and web applications without sufficient regard to security. I'm guessing
your IT group is likely charged with maintaining a secure environment and
unless they can control permissions, patches, etc. for PWS, they cannot
ensure that your system will *not* be hacked and used as a jump-off point to
attack other parts of the network. Obviously, such a scenario puts the IT
group in (at best) an awkward position.

Now, the possible solution I mentioned...

How would it be received if you asked the IT group to work *with* you to
provide an IIS server (as opposed to PWS on your desktop) to house and
maintain your development sites. Ask (and if it's billable, pay) IT to
maintain the server in accordance with their standards for maintaining
production systems (perhaps allowing you some additional rights so that you
can effectively work with your application without unduly burdening IT
resources). Ask to be present during any hardening and ask for a copy of
their hardening specifications so that you can design your websites in a
manner which will ensure that everything will work under the restrictions
(It's a lot easier to work with them in the beginning than to go back and
figure out why things stop working when you go to a production platform).

Allowing IT to maintain the server will give them assurance that the system
can be safely maintained on the network.
Using a server with full-blown IIS will give you assurance that the move
from development to production can go smoothly.

Obviously, this scenario only applies if you are a developer properly
charged with creating web-based applications for IIS. If this is not the
case, I will leave you with a final thought...
these days hackers go after anything that is connected to the network.
Machine class is pretty much irrelevant. Desktops often make good
jumping-off points, particularly if there's something there that appears out
of the ordinary. PWS would *certainly* fit as "out of the ordinary" in your
organization. If a hackr did get past the firewall, he/she might well see
your system as an easy target to place tools for further network
penetration/

Charlie

"Henry C" <hfclarius@comcast.net> wrote in message
news:ekUo3#waCHA.2556@tkmsftngp09...
> I am running Win NT (all patches/updates) desktop behind a firewall, with
> Novel as the LAN software. I was using the optional Personal Web server
for
> testing some ASP pages until the IT people (who see my group as
competition)
> informed us there were security problems using PWS.
> I am looking for an objective reason why running PWS would or would not
> compromise security. Is running PWS on a desktop behind a firewall a
> security risk? Why? Talk down to me as I am alittle slow.
>
> My sense is that if a hacker was good enough to breach the firewall, he
> would be going after the servers and not wasting his/her talents with my
> desktop.
>
> Thanks.
>
>
>
>



Relevant Pages

  • Re: The Watchguard Firewall 4.60 B1869
    ... > I've implemented this product for my internal clients. ... > firewall just cut a user's session. ... If a developer is modifying an ASP ... > wasn't saved lost too, or when a developer is logging on to a server, ...
    (comp.security.firewalls)
  • Need Dotnet with Share point project.@217-241-2015
    ... SharePoint Server 2007 with Windows SharePoint Services ... Sharepoint Administrator/.net Developer ...
    (microsoft.public.dotnet.framework)
  • Re: datatel envision
    ... to generate custome javascript calls ... to run BASIC code from the browser; tools that don't require you to ... BASIC is the best language for server ... is confusing...the developer must've setup the resolution between ...
    (comp.databases.pick)
  • Re: Developer licensing in 2005
    ... Depends on what your definition of a server is. ... a developer license can access this ... A production workstation is simply any ordinary copy of Windows; ...
    (microsoft.public.sqlserver.setup)
  • Available share point developer consultant for your clients. projects. In vargina,. are any other l
    ... Office SharePoint Server 2007 with Windows SharePoint ... SharePoint Developer ...
    (microsoft.public.sharepoint.windowsservices)