Re: security at home running iis

From: Rob Hughes (not@this.com)
Date: 02/26/03


From: "Rob Hughes" <not@this.com>
Date: Wed, 26 Feb 2003 21:47:32 GMT


Follow-up question...

On the directory security tab, the frame for "IP address and domain name
restrictions" is disabled. Do you know why? (I should probably I'm not using
NTFS at this time. I know, I know...)

Thanks again for the tips. I ran the IIS lockdown tool and the MS security
analyzer gives me a passing grade now. (For whatever that's worth!)

"x y, mvp" <levinson_k@despammed.com> wrote in message
news:evbg0Xb3CHA.2332@TK2MSFTNGP10.phx.gbl...
> Check out www.iisfaq.com Basically I would right-click on the web server
> root in the IIS MMC and in the tab for Security, set up an IP address
> restriction so that only permitted IP addresses can view the site. A
> firewall is another good idea to block this [briefly block anyone not
having
> an approved IP address from addressing a packet to TCP port 80 on your web
> server... although a good firewall shoudl be blocking a lot more than that
> anyways].
>
> I would still really consider hardening windows and IIS on your computer
> fully using the URL below. An unhardened windows computer, especially one
> running IIS with the default settings, can be hacked 15 minutes after
being
> put on the internet. There are plenty of posts here from people who
thought
> they didn't need to harden a computer because it was just a test server,
but
> then something really bad happened that sapped all their internet
bandwidth,
> prevented them from being able to log into the computer, etc. etc.
>
> http://securityadmin.info/faq.htm#harden
>
>
> "Rob Hughes" <not@this.com> wrote in message
> news:Kl57a.51890$If5.2638113@twister.southeast.rr.com...
> > Hello, I'm doing some web development at home and I have IIS setup
(Win2K)
> > to test my sites. How can I set up IIS so that I can browse the sites
> > locally but no one can get in from the outside? (I'm on a cable modem.)
> >
> > Thanks.
> >
> >
>
>



Relevant Pages

  • RE: NT/IIS decoy
    ... Does anyone know how to hide or mask the identity of a IIS 4.0 or 5.0 server ... Principal Security Consultant ... Best Individual Income Protection Provider 2001 - Health Insurance Magazine ...
    (Pen-Test)
  • Re: IIS6 on W2k3 DCs
    ... How many times in big server land do I see folks that don't have backups ... >But Small Business Server 2003 runs with IIS on our domain controller. ... >Where's MY security risks these days? ... >>By referring to numerous security guides written specifically for NT4 ...
    (Focus-Microsoft)
  • Re: SBS 2003 After Service Pack 1 for SBS
    ... Controllers" groups have been added to the new CERTSVC_DCOM_ACCESS security ... we can have Certificate Services update the DCOM security settings ... down time for the server - probably over a weekend. ... Then please run command "iisreset" to refresh IIS ...
    (microsoft.public.windows.server.sbs)
  • [NT] Cumulative Patch for Internet Information Services
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... security patches released for IIS 4.0 since Windows NT 4.0 Service Pack ... encoding transfer mechanism via Active Server Pages in IIS 4.0 and 5.0. ... attacker who exploited this vulnerability could overrun heap memory on the ...
    (Securiteam)
  • Re: REPOST: IIS4 Security Advice
    ... Well, I assume you know you need more than the latest IIS security patch, ... win 2000, one for IIS, one for Index Server, etc.] ... After installing iislockdown ...
    (microsoft.public.inetserver.iis.security)