Re: Security for Win2003 Servers

From: Roger Abell [MVP] (mvpNoSpam_at_asu.edu)
Date: 11/25/04 

Date: Wed, 24 Nov 2004 23:14:07 -0700

It seems you have found the W2k3 hardening guide, which is good.
I do not understand you choices for the IIS box. In is in the DMZ,
so normally this means you would want to use as much of the bastion
guidance as possible. Even if it is a domain member, I do not understand
the choice of the legacy template. When MS placed an exposed IIS 6 on
the network for the open hack contest, they did very little beyond common
sense config to that W2k3 and then added IPsec in filter mode (allow no
traffic, except allow inbound tcp 80/443 - in your case also allow specific
port+ip as needed for time, dns, mgmt, app tier) 

-- 
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCDBA,  MCSE W2k3+W2k+Nt4
"NewComer" <NewComer@discussions.microsoft.com> wrote in message 
news:7B8FFD3D-B68F-4C68-BB4E-62D9610A53FE@microsoft.com...
> Hi,
>
> I am planning to setup two Win2003 Servers. One Proxy (in DMZ zone) the
> other is Web/Appl Server.Both of the Servers will not setup as Domain
> Controller. Below is my query.
>
> 1. What security or policy template should I put on both servers?(e.g IIS,
> ISA)
> 2. How do I harden the OS?
>
> I have come out some policy as stated below but not sure is it correct. 
> Need
> advice.
>
> Proxy Server
> High Security- Bastion Host.inf
> ISA
>
> Web/App Server
> Legacy Client - MemberServer Baseline.inf
> Enterprise Client - IISServer.inf
>
> Best regrads,
> NewComer
>

Relevant Pages

  • Re: Steps to setup app allowing offsite network access using IIS Authe
    ... The first paras imply you want them to be able to _run_ a web app on an IIS server? ... Regardless of all that, one problem to look out for is that they won't have Active Directory if it's in a DMZ, so Integrated Authentication won't work, nor will Impersonation, You'd need to use plain text with SSL, nasty, and you'd need to pass the passwords as plain text if you want them to be able to start a process, unless you can get Kerberos working in the DMZ and able to pass the tickets over two hops. ... DMZ, there will be several steps involved - from compiling the application with a strong name, to setting up IIS and finally access to the application which will need to run on a server from the DMZ for our partners. ... Can anyone outline each step required to set this up on an IIS server in the network or DMZ along with the assembly requirements of the application to run on this network? ...
    (microsoft.public.vsnet.general)
  • Re: Where to put the server
    ... I did end up placing the 2003 IIS box in the DMZ. ... > Put the 2003 IIS Server in the DMZ. ... > SBS box or another LAN server. ...
    (microsoft.public.backoffice.smallbiz2000)
  • RE: Setting up Exchange Server
    ... Exchange server in Lan, with IIS. ... Users have to use a 128 Bit SSL Link from client to Proxy in DMZ. ...
    (Security-Basics)
  • Re: Where to put the server
    ... then leave it on the server in the DMZ. ... I did end up placing the 2003 IIS box in the DMZ. ... >> SBS box or another LAN server. ...
    (microsoft.public.backoffice.smallbiz2000)
  • RE: fedora-list Digest, Vol 6, Issue 266
    ... Re: OT: Setting up a forwarding mail domain in DMZ without ... Re: Sound Problem ... downloaded the yum.conf for fedora from Redhat's website. ... Server: Fedora.us Extras ...
    (Fedora)