Re: Configure IIS Server security

From: Miha Pihler [MVP] (mihap-news_at_atlantis.si)
Date: 11/04/05 

Date: Fri, 4 Nov 2005 22:23:59 +0100

I don't think step 8 is very smart if you want really secure setup.

If somehow I get access to the server (e.g. bug in the application running
on your server) I get free access to your LAN. The correct setup would be
one NIC (or even two NICs) but none of them directly connected to LAN. NIC
should only connect to DMZ and if it needs access to DB it should go through
firewall (and if possible use application layer filters on the
firewall...)... 

-- 
Mike
Microsoft MVP - Windows Security
"EddieF" <EddieF@discussions.microsoft.com> wrote in message 
news:BA1FBF1E-15DC-4026-941E-F6E722F206E9@microsoft.com...
> Hello,
>
> I am new at setting up IIS Web Servers . I need to make sure that a new 
> Web
> Server running on Windows 2003 SP1 server with IIS 6 is set up securely.
> Here are the steps I've already taken:
>
> 1) Created two NTFS partitions -  one for the system and another for data
> 2) Installed URLScan -  not sure about the best way to configure it
> 3) Ran the 2003 SP1 Security Configuration Wizard
> 4) Renamed the admin account
> 5) Installed virus and spyware scanners
> 6) Ran the Microsoft Baseline Security Analyzer
> 7) Plan to use a Verisign certificate to secure the web site
> 8) Installed two NIC cards -- one to DMZ side of firewall and other to our
> network to access a database required for the IIS server.
> 9) Redirected incoming SSL traffic to the IIS Server on the DMZ interface.
>
> I would appreciate any other ideas on how best to secure an IIS server.
>
> One other thing I'm concerned about is the fact that this server has two 
> NIC
> cards -- one connects to our firewall DMZ and the other connects to the 
> local
> network.  Would it be easy for a hacker to get to our local network if 
> he/she
> accesses the server from the other card connected to the DMZ?  In other 
> words
> could they connect to one interface and come out the other interface into 
> our
> network.  What would be the best way to prevent this from happening?
>
> Thanks in advance for you suggestions.  I appreciate your help.
>
> EddieF
>
>

Relevant Pages

  • RE: Webserver on a DMZ still needed?
    ... OWA server. ... Webserver on a DMZ still needed? ... It is still recommended to have your exchange box (and any other outward ... to interact securely with the Domain Controller on the secure subnet? ...
    (Security-Basics)
  • Re: Need help w/ multi homed server
    ... Personally, I wouldn't use the type of setup you described at all, instead I ... it's a MS SQL server) from the webserver, and only the webserver to the SQL ... The setup you are describing defeats the purpose of setting up a DMZ. ... We have two NICs in this machine that will be hosting this app. ...
    (microsoft.public.win2000.networking)
  • Re: Edge Server 2 Nics vs 1 Nic
    ... server using only one NIC with the recommended configuration (open ports 25 ... And what about a second DMZ? ... He plans to use two NICs. ... Also have in mind a properly configured Edge Transport server will shield ...
    (microsoft.public.exchange.design)
  • Re: Critical services to unblock?
    ... "I am secure because I have a Firewall" ... "I am secure because I use a DMZ" ... Probably the best answer to that would be that if the Server is compromised ... It sounds like it is an SQL Server in your case,...therefore with the server ...
    (microsoft.public.isa.configuration)
  • Re: SBS2000 and a DMZ
    ... The whole purpose of the DMZ is to prevent this ... in order to keep it secure and do what you need to do. ... The Win2k3 server can probably be safely inserted on the SBS domain and only ...
    (microsoft.public.backoffice.smallbiz2000)
Loading