Re: IIS security question-please help

From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
Date: Sat, 20 Jan 2007 12:00:31 -0700

Much of the whole, complete, and true answer depends
on how this machine is connected to the network(s).

One could start by configuring the server with two IPs.
In the IIS mgmt interface, in the properties of each site,
set the site for one of the IPs (instead of the default, all
unasigned). While in the properties of the internal site,
go into the directory security tab and set the site to not
allow anonymous access, and depending on your client
environment you would probably check that the internal
site uses Windows integrated authentication.
Next, make sure that the NTFS permissions on the content
of the internal site allow for your users but not for the
IUSR_/IWAM_ accounts used for anonymous access.
You may or may not be using host-based IP traffic control
of some form on that server, but if so you can define allowed
access to the internal site IP so it must originate from only
you internal systems.
However your server sits network-wise so that it does
respond to both external and internal requests, you need
to adjust this so that external only get to the intended, single
IP and so that responses from the internal site IP cannot go
out onto the internet.

Those are some starting points, not exhaustive, but do get
you toward a fairly safe separation of the site, provided
that the server is safe from invasions/exploits (untrusted
internal users, excess exposure to external netword).

"Rob" <Rob@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:B8F186A2-9B11-4A1D-81A6-3D12C3DEAA8D@xxxxxxxxxxxxxxxx

Hi,
I have 2 websites on a IIS machine (Windows 2000 server). one of them is
open to the public and another one should be only accessable for inside
the
network (LAN). What has to be done in order to secure it, so peolpe from
outside wont be able to see the Intranet website.
Thanks a lot for any comment. Rob

Prev by Date: Re: Unexplained Failed Logins
Next by Date: Moving files and security permissions, when you don't have permission
Previous by thread: Re: audit facility in Windows 2000
Next by thread: Moving files and security permissions, when you don't have permission
Index(es):
- Date
- Thread

Relevant Pages

Re: Urgent! New router and big disaster
... The SBS DNS server, running on ... its IP it means that your problem is now DNS. ... forward ports to it reliably in the router. ... I should have been more clear about internet connection.. ...
(microsoft.public.windows.server.sbs)
Re: RWW Disconnecting
... I have been connected from a remote site for about 3 ... DHCP server and even a wireless access ... the key codes to for Internet access. ... Client Workstations} ...
(microsoft.public.windows.server.sbs)
Re: Urgent! New router and big disaster
... I checked the binding order and the Server Local area connection is at the top. ... I should have been more clear about internet connection.. ... I wonder if I may have missed a firewall setting on the router as well. ...
(microsoft.public.windows.server.sbs)
RE: remote access SBS 2003 Inop
... Since you know the problem is relate to RRAS (Routing and Remote Access ... On the SBS 2003 Server open the Server Management console. ... Click the "Connect to the Internet" link. ... Microsoft CSS Online Newsgroup Support ...
(microsoft.public.windows.server.sbs)
RE: Catchall not working, EXTERNALLY?
... When I open the connection (over internet) to my exchange account, ... the data is stored on the Exchange server side. ... Microsoft CSS Online Newsgroup Support ...
(microsoft.public.windows.server.sbs)