Re: IIS on DMZ

Please ask your security people how this is protecting IIS in any way?

If there is some kind of malicious packet that can exploit IIS, then your proxy will just pass it to IIS, and you'll still be compromised.

Cheers
Ken

"tony" <tony@xxxxxxx> wrote in message news:eEi%23EySWIHA.1376@xxxxxxxxxxxxxxxxxxxxxxx
I understand what you mean but security team basically is saying IIS is not secure, they will not open up port 80/443 to IIS. So we have linux proxies in front of IIS 6 that does redirects to the IIS6 servers. IIS6 servers are also on DMZ but firewall opens up only port 80/443 on the proxies. then linux redirects them to the IIS 6 servers.

thanks



"Ken Schaefer" <kenREMOVE@xxxxxxxxxxxxxxxxxxxx> wrote in message news:ed0bEINWIHA.2304@xxxxxxxxxxxxxxxxxxxxxxx
"tony" <tony@xxxxxxx> wrote in message news:ey83dsKWIHA.4476@xxxxxxxxxxxxxxxxxxxxxxx
what i mean is expose port 80 and 443 to the public. Is it safe.

Safe against what, exactly? Nuclear bomb? no.

Lots of companies run IIS 6.0 and have public websites. Like Microsoft.com. So, the mere fact of exposing 80 and 443 doesn't automatically make you insecure.

and would having front end apache proxies in front of the IIS 6 servers be an additional layer of security?

What are these proxies doing? if they are just proxying requests verbatim they are adding no security at all. Are these proxies doing some kind of filtering? If not, you have gained nothing except additional administrative overhead.

But there is no such thing as "perfectly secure". There is only "less secure" and "more secure" (i.e. degress of security). Additionally you can be secure against a particular threat, but completely open to some other threat. You need to work out what your security threats are.

Cheers
Ken


I am trying to convince management to take the linux web proxies out and open port 80/443 on the IIs servers instead


"Ken Schaefer" <kenREMOVE@xxxxxxxxxxxxxxxxxxxx> wrote in message news:uAbeZcKWIHA.5396@xxxxxxxxxxxxxxxxxxxxxxx
Secure against what?

Cheers
Ken

"tony" <tony@xxxxxxx> wrote in message news:%23ayaauAWIHA.4696@xxxxxxxxxxxxxxxxxxxxxxx
how secure is it to have IIS 6 on dmz? do i need to be using apache web proxy at all?








.

Relevant Pages

  • Re: IIS on DMZ
    ... I understand what you mean but security team basically is saying IIS is not ... also on DMZ but firewall opens up only port 80/443 on the proxies. ... But there is no such thing as "perfectly secure". ...
    (microsoft.public.inetserver.iis.security)
  • Re: How to secure IIS?
    ... > Microsoft Security ... > IIS Tools and Checklists ... > List of Services Needed to Run a Secure IIS Computer ... > Baseline Security Procedures for IIS 4.0 Server Builds ...
    (microsoft.public.inetserver.iis.security)
  • Re: Mac Server Hacked In Less Than 6 Hours
    ... Windows has RAS, and for it is built in since NT 3.1 ... | A typical IIS box and this Mac are not the same thing so the comparison ... IIS has been subject to quite a few bugs and so have ... Security isn't a proprietary attribute. ...
    (sci.crypt)
  • Re: DCOM calls fails - access denied
    ... That's exactly how I understood the ASP.NET security. ... But why does one configuration work but not the other? ... should get the token from IIS. ... If you set there a domain account, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: How to secure IIS?
    ... XP as well, because even if you don't install IIS, there are still a number ... If you think Windows 98 is secure, ... easy to attack, if there's no firewall... ... IIS security checklists] 3) install firewall and antivirus, ...
    (microsoft.public.inetserver.iis.security)