Re: Web App Security Model.

Thanks for the information.

So basically just follow standard procedure for locking down IIS / Webserver
etc and I should be OK.

Because of the authentication needed I'll be in the Active Directory domain.
The app will be connecting to a SQL 2005 server in the domain. I'm thinking
about putting it in it's own sub-domain but the additional costs of servers
for DC's might be prohibitive.

Thanks again.

"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:%23vX9lF0WHHA.4860@xxxxxxxxxxxxxxxxxxxxxxx
Some would say it is better to have those machines, latched down
to tcp 80, 443 as you say, sitting outside compared to inside in the
circumstance you describe.
You have not indicated how the machines are with regard to AD,
any domains, etc. database accesses, backup access, etc..
If these machines are standalone the threats posed by them are
significantly different from if not, obviously, but much also depends
on how inconvenient administrative / backup / etc access is if they
are standalone (generally more convenient is more risk)

Anyway, very very much depends on the quality of the aspx
applications / implementation and whether their design has
been done with security (of your whole infrastructure) in mind.

There is some guidance at
http://www.microsoft.com/technet/security/guidance/default.mspx
and IIRC more in msdn2

Roger
"Lincoln De Kalb" <lincoln.dekalb@xxxxxxxxxx> wrote in message
news:e3jok4uWHHA.392@xxxxxxxxxxxxxxxxxxxxxxx
Hey all,

I'm not really looking for an answer, i'm looking for pointers on where
to look.

My company wants to have a few Windows Servers running web app's (ASPX
based primarily) available externally. They will be behind a firewall
with strict rules (like 80, 8080, 443) etc....

For the time being there wont be a Firewall between the servers and the
primary network, so we aren't in a DMZ type environment.

I'm struggling to find any information on technet, windowssecurity.com,
techrepublic etc etc. on best practices or thigns to consider for this
type of environment. I really wouldn't have thought it that different to
what most people would set up.

So if you can point me in the right direction, that would be superb. Or
maybe i'm missing something so fundamental that it's a no brainer and
hence no documentation.

Ta heaps.
Lincoln





.

Relevant Pages

  • Re: Web App Security Model.
    ... SQL permissions are correctly restrictive (so worse case the allowed ... If these machines are standalone the threats posed by them are ... applications / implementation and whether their design has ... My company wants to have a few Windows Servers running web app's (ASPX ...
    (microsoft.public.security)
  • Re: IIS 6.0 Migration Tool
    ... No, there is no firewall. ... The servers are standalone. ... > Are the C$ shares available? ...
    (microsoft.public.inetserver.iis)
  • AD for webhosting?
    ... Until now we have made them standalone ... IPSEC policies for some traffic and be able to apply security configuration ... But we are concerned about AD on public hosted servers. ...
    (microsoft.public.win2000.security)
  • COM+ App Proxying With Windows 2003
    ... We have two Win2000 servers that use DCOM COM+ Application Proxying to ... standalone, and not in a common workgroup or domain. ... we cannot get the app proxy to work. ...
    (microsoft.public.security)
  • looking for sample iptables and ipchains setups
    ... schemas - for all kinds of situtations - be they "standalone" workstations, ... servers, firewalls, routers - whatever. ...
    (comp.os.linux.security)