Re: Secruing IIS 6.0 & Windows 2003 Small Business Server

From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 12/11/03 

Date: Wed, 10 Dec 2003 23:22:04 -0800

Lots of choices, mostly depending on your configuration options on the
router that sits between your intranet and internet.

Most of the time, people want to keep the intranet machines private to the
outside world, so the router becomes "what the world sees as this website"
and the router has to be smart to route port 80 to one server and port 443
to another. Assuming this router also provides the same firewall services
to SBS, you're pretty much done on the second web server configuration using
IIS6 (since it installs in a locked down state) -- and any further
configuration of the web server is no different than standard IIS6 security
practices. 

-- 
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Robert Waite" <bob2dev@tampabay.rr.com> wrote in message
news:%23%2333OVqvDHA.3116@TK2MSFTNGP11.phx.gbl...
Excellent reply.
How would you add/configure a second computer to what you describe in order
to host an external web site?
Robert Waite
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:OYCMyihuDHA.2444@TK2MSFTNGP12.phx.gbl...
> There is no lockdown tool for IIS6 because it comes locked-down by
default,
> contrary to IIS5 on Windows 2000, which was wide-open.
>
> As far as securing IIS6 goes -- I did not see a lot to do.  By default,
you
> get an intranet website (non-public facing) with Sharepoint installed, so
no
> need to do anything about it (I wouldn't turn it facing outward, anyway).
> The external website hosts OWA and Remote Workplace, which I secured by
> doing:
> 1. Download IIS6 Resource Kit to obtain SelfSSL
> 2. Set up SSL on this external website using a self-signed certificate
> generated by SelfSSL
> 3. Turned off Anonymous auth everywhere on the external website (I know
some
> of them leads to a double auth on Remote Workplace; I haven't gone through
> to "optimize" the experience yet)
> 4. Made the external website listen only on 443 and not on port 80
> 5. Installed the self-signed certs on all my client machines that I want
to
> access this SSL site
>
> Voila.  I can now securely access my OWA and Remote Desktop over SSL
without
> paying for any unnecessary SSL Certificates (and no IE warnings).  I then
> stashed this server behind a residential firewall that only forwards port
> 443 to this SBS server (you can optionally use Internet Connection
Firewall
> on the external interface and just open port 443 on it for a similar
> effect).
>
> Encryption + Authentication gives you better Security.
>
> If you are talking about hosting an external website presence -- I would
not
> do it on the SBS Server itself.  That machine is your Domain Controller
> (holds all user accounts), plus it's holding your email, and if it's SBS
> Premium, also your SQL Server.  Do you REALLY want to tie so many things
> together and increase the effects of any catestrophic failure?  I would
> rather host the external web presence on another server -- I've shown one
> way to really lock down the SBS server from the outside world such that
only
> authorized users can get to it, encrypted and authenticated.  If I can
> prevent anonymous users from the internet from touching this server as a
> part of an external website, I would highly recommend it.
>
> -- 
> //David
> IIS
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> //
> "Rob" <robzarko@comcast.net> wrote in message
> news:039601c3b916$303a1dc0$a301280a@phx.gbl...
> Are there any good articles on securing IIS 6.0 and
> Windows 2003 Small Business Server?  Please send if
> available.  I know that there was a lockdown tool for
> Windows 2000 but I don't see one for Windows 2003 IIS 6.0.
>
>

Relevant Pages

  • Re: Internal access to external website.
    ... router is not properly handling 'loopback processing'. ... external website from a workstation attached to the network by simply ... The server www.xxx.com at WebAdmin requires a username and password. ... All users including the admin are prompted with this request and when we ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS 2003 Misconfigured?
    ... I've thrown quite a bit at them, and just have to disagree that they are inherently less secure than the netgear. ... setup DHCP and I have also gone in and manually created a new scope ... when I first used the Netgear router with SBS 2003, ... than one SBS server in a company makes no sense. ...
    (microsoft.public.windows.server.sbs)
  • Re: Cannot connect to RWW from home PC
    ... eth0 172.26.0.1/16 Extra none ... That would be the address you need a DNS record for. ... One question - if I reset the Thomson Router will that clear all the ... Heres' the info for our server: ...
    (microsoft.public.windows.server.sbs)
  • Re: NLB Cluster - Ping fails or long time to reply from outside local subnet - SOLVED
    ... Windows Server 2008 Readiness Team ... I was feeling nervous about our teaming-capable adapter as I read it might be sending out heartbeats, so I disabled it AND configured the cluster on a separate DLink card in multicast mode. ... I am losing the plot with NLB, I have spent a week trying to get it working. ... I thought that the litmus test was that the router functions fine when no NLB is installed, but when it is, things start going screwy. ...
    (microsoft.public.windows.server.clustering)
  • Re: Cannot connect to RWW from home PC
    ... That would be the address you need a DNS record for. ... You say "And in the router you need to forward to your external nic IP" ... Still can't telnet to any of your ports at your public ip address. ... Heres' the info for our server: ...
    (microsoft.public.windows.server.sbs)