General discussion

Locked

IIS Security

By dghaus ·
Hi Folks.

I'm contemplating making my IIS server (2 nics, public & private) a member server so our in-house clients can do AD integrated authentication. In other words, setup an Intranet! We'd like the clients to authenticate automatically upon connecting, without using cookies. (I've got my reasons!) Obviously on the Intranet, anonymous connection will be disabled.

However, the public web site would also reside on the same machine, using anonymous connectivity.
What security concerns would there be about having a member server act as an 'anonymous' IIS server thtough it's public IP Address... I'm worried about possible hackers attacking my AD through the web site....

Thoughts?

This conversation is currently closed to new comments.

5 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by sbrown95 In reply to IIS Security

Its never a good idea to allow anonymous login to any service on a member server. The security risks are very high and if you are not familiar with these types of security I would recommend hiring someone to do it for you - it would be well worth the effort. One step to setting this server up could be to place it in a DMZ, but there are still sercurity risks involved if you aren't familiar with the process.

Collapse -

by TechKid In reply to IIS Security

If it's part of the domain there is a small security risk increase. As long as you are patching the system, using strong passwords, locking it down and what not I wouldn't be over worried. I mean, look at how many Windows SBS servers there are serving up pages and hosting email... and those are not only a member of the domain, they ARE the domain!

Collapse -

by CG IT In reply to IIS Security

your worried about possible hackers attacking your AD through the web site on a server which resides on the private network and you should be. Unless your run something like ISA Server which does not let internet traffic into your network rather reads the inbound request, goes and finds the request on a server, then returns that information to the requester all without the inbound actually making a connection to the web server, your at high risk for a security breach.

I would have 2 servers public and private. Public on a perimeter network and the private on the network so theres no chance of internet inbound traffic making a connection to the private network.

Collapse -

by sgt_shultz In reply to IIS Security

imho, we need lots more as you cannot answer your question about concerns until you spell out completely the functional spec for this 'intranet' imho. who needs access exactly. exactly what access do they need. the intranet: what you gonna do with it? you have email there? databases? ftp? you thinking of having this server store the ad stuff?. this is your only server isn't it. ISNT'T it? (tease)
have you checked out info available on dmz's at www.microsoft.com and www.cert.org.
gonna be expensive to due this diligently imho. pun intended. you will need more iron and server os licenses imho. you will need to understand how stuff can be hacked. how *your* stuff can be hacked. if you can put a figure on value of company data it will help get a budget to secure it. maybe you can get your boss to do that part for you.
what you are gonna find out imho is you have 2 big jobs all of a sudden on your plate. 'security' and 2nd job is disaster recovery. imho. DR is really the first priority imho. then you may be much more relaxed and actually enjoy yourself as you discover joys of hacking. :&gt
as you know you can improve your odds simply by following accepted maint. practices you will harden your server: have tested historical backups, proven anti-virus protection that autoupdates, staying current with patches and sps, stopping unnecessary services and setting permissions. you behind nat with firewall, at least, yes?

Collapse -

by zaferus In reply to IIS Security

I would strongly recommend considering two boxes. This way you can create a DMZ that has no connection to your LAN. IIS boxes are hacked daily and if they can access your DC in any way you are in big trouble.

A well set up Intranet is a great asset to a company, we have one ourselves and while it's constantly growing and improving, it's used daily by almost every user in our company. But we have it completely isolated from our web servers, it's just not worth the security risk!

That being said - VMWare is supposed to be able to safely isolate two systems in the manner you are proposing, so that two VM's run completely isolated from each other on the same box, saving you hardware costs. I've seen it on a server, it looks like they are indeed secured. If you insist on going with one box I'd look at putting VMWare on it.

Zaf

Back to Security Forum
5 total posts (Page 1 of 1)  

Related Discussions

Related Forums