Re: IIS / Web Services Security threats

Magdelin,

Are there any reasons why you do want to open alternate ports, usually this
will freak out any security "expert".

If you run it on the same ports that is open right now (I assume of course),
like HTTP, HTTPS, FTP then you can use the same argument they use, that IIS
is exposed and very bad people going to infiltrate.

Use the existing ports, make sure your web services communication is secure,
tokens, encryption or ssl and you should be fine.

henk


"Magdelin" <magdelinsuja@xxxxxxxxxxxxxxxxx> wrote in message
news:CBAB91C3-58F6-490C-A080-98998478B626@xxxxxxxxxxxxxxxx
> Hi,
>
> My security team thinks allowing communication between the two IIS
> instances
> leads to severe security risks. Basically, we want to put our presentation
> tier on the perimeter network and the business tier inside the fire wall
> or
> internal network. The biz tier will be developed and deployed as web
> services
> on IIS.
>
> I know microsoft recommends this architecture but I am not able to
> convince
> my security team. They say IIS is vulnerable to viruses and worms even
> though
> the communication between the web and app servers are secure with a
> firewall/SSL/IPSec. Even though we will open specific ports for accessing
> the
> web services, is it true that IIS is not a secure environment to access it
> from the perimeter network.
>
> If my security team is true, I wonder what would be the alternative to
> IIS.
> If they are not, how should we protect our network while allowing web
> service
> to run on IIS.
>
> I have read all security related recommendations published by Micrososft
> but
> no luck with my security team yet. Esp. the entire document from patterns
> &
> pratices:
> Improving Web Application Security - Threats and Countermeasures
>
> How are secure .NET enterprise applications developed and hosted in IIS?
> Are
> there any companies out there which uses this MS recommended architecture
> and
> yet have a secure network?
>
> Thanks,
> Magdelin


.

Relevant Pages

  • Re: Finally, a secure computer
    ... paranoia in the security aspects of IIS administration. ... security at the IBM website is compromised, ... I ran a port check on 10,000 plus ports (I ... > trouble downloading updates [I'm not sure about AVG pro, ...
    (microsoft.public.inetserver.iis.security)
  • RE: Desktop Support Access
    ... To enable and disable ports would require access to the interface ... Better Management for Network Security ... Ensure robust IP security through policy-based management ...
    (Security-Basics)
  • RE: [Full-Disclosure] SQL Slammer - lessons learned
    ... > We've drifted from my original point, that ports used dynamically by IP ... > stacks should be distinct from service ports, so that ISPs or administrator ... I think Slammer has pointed one of the biggest problems with security ... everybody gets really concerned about wireless network. ...
    (Full-Disclosure)
  • Re: Getting around corporate firewalls to access ssh server
    ... pretty well takes care of the security angle. ... the ports on the two servers and put the release server on 22. ... with exceptions) inbound connection starts to most ports. ... Internet visible servers exist in the user segment of the network, ...
    (comp.os.linux.networking)
  • Re: Mac Server Hacked In Less Than 6 Hours
    ... Windows has RAS, and for it is built in since NT 3.1 ... | A typical IIS box and this Mac are not the same thing so the comparison ... IIS has been subject to quite a few bugs and so have ... Security isn't a proprietary attribute. ...
    (sci.crypt)
Loading