Re: Security risks when running IIS without static ip as localhost
From: Karl Levinson [x y] mvp (levinson_k_at_despammed.com)
Date: 05/02/03
- Next message: Leslie Carruthers: "Re: Getting IIS 5 to parse SSI - security settings problem?"
- Previous message: Antknee: "Windows Authentication security"
- In reply to: Mark Lea: "Re: Security risks when running IIS without static ip as localhost"
- Next in thread: Jeff Cochran: "Re: Security risks when running IIS without static ip as localhost"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 2 May 2003 09:23:09 -0400
"Mark Lea" <anonymous@devdex.com> wrote in message
news:eevkLQBEDHA.432@TK2MSFTNGP12.phx.gbl...
>
> That is my point here, we do not want and we do not need anyone to
> access this web server, it is purely for developing asp pages which will
> be used at a later time via our Firm's intranet. Having worked in the
> capacity of a web developer for many years for a multitude of fortune
> 500 firms I have never been told by any network admin prior to my
> present job that running a web server in this capacity opens up the
> network to a security risk.
IMHO your current network admin is probably right and all the other network
admins at your previous employers were all wrong.
> I am just looking for some reassurance to
> that effect that I can convey to my IT Director and IT Manager who are
> relying on the verbal authority of one individual in the Firm who
> certainly has good intentions of keeping our network secured, however
> when security is incorrectly or unnecessarily implemented as I feel it
> is in this case it can cause a lot of problems for developers just
> trying to get the job done.
Wait a minute... if they are seeing vulnerabilities on your computer from a
remote network scan, then I would side with the people that are telling you
you need to secure your computer. [This would mean that IIS is NOT just
"running on localhost."] Many many security problems are caused or
exacerbated by people thinking they don't need to secure a computer because
it's just a workstation, just a test system with no real data, not visible
from the internet, etc. Code Red, Nimda and SQL Slammer were all disasters
for people not realizing they were running a server product like IIS or MSDE
or SQL on "just a workstation" or "just a test machine."
For example, one vector of compromise is someone receives, say, a worm email
and the attachment automatically launches on their computer. From there, it
looks for other vulnerable computers or servers on the network and finds
yours. Your machine is compromised and starts causing security and/or
network problems.
If something like this should happen, the possible repercussions include
your computer being used as a hop to compromise other computers on the
network that do have live data, sniffing passwords and data, your computer
being used to infect other computers on the internet, your computer eating
up all your company's internet bandwidth, etc. It can be a disaster. Even
if no data is leaked or damaged, you'll still have your hands full for a day
or a week investigating what did or did not happen and formatting and
reinstalling everything just in case something was done during the
compromise that you can't detect.
Plus, we're only talking about IIS. Running IIS as "localhost" does nothing
to secure the also serious vulnerabilities in Windows, your email reader,
web browser, and any other installed software.
If you're running IIS so that it only responds to requests from 127.0.0.1
e.g. the local computer, that's great for now, but someone could always
screw that up and open up the server in the future accidentally. It's
really not that hard to do baseline security on IIS, so it's wise to at
least do the minimum. Security compromises frequently happen when there is
1) an unsecured device using the default configuration plus 2) someone being
surprised by the compromise, thinking "I had no idea that this machine could
be compromised."
If you check your email on this computer, that can be a serious security
problem, especially if you don't have antivirus with the latest updates
always installed.
Also, you probably want your development machine to match the configuration
more or less of your production web server, so that there are no surprises
when you move an application over.
Last, I'm not so confident about whether you do have a tight firewall
configuration. Firewalls are very very often poorly configured, it takes
someone fairly in the know to do it right.
IMHO development machines absolutely ned to be secured, at least to a
minimum baseline level. But it's up to you and your company's security
needs, skills and workload.
- Next message: Leslie Carruthers: "Re: Getting IIS 5 to parse SSI - security settings problem?"
- Previous message: Antknee: "Windows Authentication security"
- In reply to: Mark Lea: "Re: Security risks when running IIS without static ip as localhost"
- Next in thread: Jeff Cochran: "Re: Security risks when running IIS without static ip as localhost"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
