General discussion

Locked

na?ve questions: Web server security

By MattsDad ·
Hello!

Well here come some na?ve questions about Web server security and data transfer.

I am considering making available a private Web page on my intranet so that remote users can access the most widely used data on my servers. The would largely be editing and reviewing documents.

This network is a workgroup with W2K servers with XPPro and W2KPro workstations with 15 hosts.

I would like to fully implement this page on an XPPro machine that is currently a ?spare?.

There will be no domain name. Users will have to know the exact Ip address.

I have implemented a non standard port which users will also have to know.


I have a Watchguard Fire wall that?s is set up to forward HTTP requests on the non standard port to the XP machine

Also I want to use Windows Integrated Authentication. Users would have to have an account on the specific machine.

No more than 5 users would be accessing this page at a time.

What do you think of this setup in terms of Security: both of the Web Server itself and the data being intercepted, not mention the Network Itself?

Any comments or suggestion? My budgest is $0

Thanks in advance!!

This conversation is currently closed to new comments.

2 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by red_wolf In reply to na?ve questions: Web serv ...

Remember "Security by Obscurity, is no security" don't think that nonstandard ports will protect you. A simple port scan and a HEAD request will give your IIS box away. Also sending usernames and passwords in clear text is inherently insecure.

There are a few things I might do looking at you setup.

1) Why use WinXP, IIS version 5.1 has serious limitations. I assume you have a reason not to go with IIS on the W2k server?
http://www.iisanswers.com/IIS51.htm
As always be constantly vigilant with your Anti-virus and Windows Updates. And disable all unneeded services in Windows XP, not just in IIS.
http://www.blackviper.com/WinXP/servicecfg.htm

2) Security could be improved on several fronts, first split the hard drive in to at least 2 partitions, and put the web root on a different partition from the OS. Next installing IIS Lockdown
http://www.microsoft.com/downloads/details.aspx?FamilyID=dde9efc0-bb30-47eb-9a61-fd755d23cdec&displaylang=en
http://www.iisanswers.com/articles/IIS_Lockdown/IISLockdown.htm
or better yet SecureIIS Personal
http://www.eeye.com/html/Products/SecureIIS/Download.html?rid=r.0729.115753.390140

4) Read all the IIS best practices, adapt what you can to Windows XP
http://www.microsoft.com/technet/security/prodtech/iis/default.mspx

5) I would also consider activating Windows 2000 Certificate Server, and issue your users certificates
http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/depopt/2000cert.mspx
So that you can wrap your file transfers in SSL, this may require using the Win2k Server as your IIS platform, I have used WinXP for hosting but that was with Apache (see below.

6)What is your plan for the actual file upload and download method (ftp, post/get, CGI, .NET, VB app)this could be a potentially HUGE hole.

Is there any reason not to use Apache?
http://httpd.apache.org/
Secure, free, and all connections you could want

Based on what you have said I believe all of the above can be done with

Back to Security Forum
2 total posts (Page 1 of 1)  

Related Discussions

Related Forums