Re: Secruing IIS 6.0 & Windows 2003 Small Business Server
From: Robert Waite (bob2dev_at_tampabay.rr.com)
Date: 12/09/03
- Next message: Gordon Fecyk: "Re: SSL Certificate Installation error"
- Previous message: Christopher Haun: "RE: 401.3 IIS error"
- In reply to: David Wang [Msft]: "Re: Secruing IIS 6.0 & Windows 2003 Small Business Server"
- Next in thread: David Wang [Msft]: "Re: Secruing IIS 6.0 & Windows 2003 Small Business Server"
- Reply: David Wang [Msft]: "Re: Secruing IIS 6.0 & Windows 2003 Small Business Server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 9 Dec 2003 17:41:03 -0500
Excellent reply.
How would you add/configure a second computer to what you describe in order
to host an external web site?
Robert Waite
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:OYCMyihuDHA.2444@TK2MSFTNGP12.phx.gbl...
> There is no lockdown tool for IIS6 because it comes locked-down by
default,
> contrary to IIS5 on Windows 2000, which was wide-open.
>
> As far as securing IIS6 goes -- I did not see a lot to do. By default,
you
> get an intranet website (non-public facing) with Sharepoint installed, so
no
> need to do anything about it (I wouldn't turn it facing outward, anyway).
> The external website hosts OWA and Remote Workplace, which I secured by
> doing:
> 1. Download IIS6 Resource Kit to obtain SelfSSL
> 2. Set up SSL on this external website using a self-signed certificate
> generated by SelfSSL
> 3. Turned off Anonymous auth everywhere on the external website (I know
some
> of them leads to a double auth on Remote Workplace; I haven't gone through
> to "optimize" the experience yet)
> 4. Made the external website listen only on 443 and not on port 80
> 5. Installed the self-signed certs on all my client machines that I want
to
> access this SSL site
>
> Voila. I can now securely access my OWA and Remote Desktop over SSL
without
> paying for any unnecessary SSL Certificates (and no IE warnings). I then
> stashed this server behind a residential firewall that only forwards port
> 443 to this SBS server (you can optionally use Internet Connection
Firewall
> on the external interface and just open port 443 on it for a similar
> effect).
>
> Encryption + Authentication gives you better Security.
>
> If you are talking about hosting an external website presence -- I would
not
> do it on the SBS Server itself. That machine is your Domain Controller
> (holds all user accounts), plus it's holding your email, and if it's SBS
> Premium, also your SQL Server. Do you REALLY want to tie so many things
> together and increase the effects of any catestrophic failure? I would
> rather host the external web presence on another server -- I've shown one
> way to really lock down the SBS server from the outside world such that
only
> authorized users can get to it, encrypted and authenticated. If I can
> prevent anonymous users from the internet from touching this server as a
> part of an external website, I would highly recommend it.
>
> --
> //David
> IIS
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> //
> "Rob" <robzarko@comcast.net> wrote in message
> news:039601c3b916$303a1dc0$a301280a@phx.gbl...
> Are there any good articles on securing IIS 6.0 and
> Windows 2003 Small Business Server? Please send if
> available. I know that there was a lockdown tool for
> Windows 2000 but I don't see one for Windows 2003 IIS 6.0.
>
>
- Next message: Gordon Fecyk: "Re: SSL Certificate Installation error"
- Previous message: Christopher Haun: "RE: 401.3 IIS error"
- In reply to: David Wang [Msft]: "Re: Secruing IIS 6.0 & Windows 2003 Small Business Server"
- Next in thread: David Wang [Msft]: "Re: Secruing IIS 6.0 & Windows 2003 Small Business Server"
- Reply: David Wang [Msft]: "Re: Secruing IIS 6.0 & Windows 2003 Small Business Server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
