Re: oops again

From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 07/13/04

• Next message: David Wang [Msft]: "Re: Enabling *.bat files to be served on iis6"
• Previous message: Rachel: "Re: Installation of IIS 6.0 on XP"
• In reply to: dawg3294: "Re: oops again"
• Messages sorted by: [ date ] [ thread ]

Date: Mon, 12 Jul 2004 19:09:44 -0700

>From a security standpoint -- you only want the absolutely minimum ports
open on the Firewall, and the default should be none. This ensures that no
one can hop from the Internet into your local network by connecting to an
open port.

Since you intend to install IIS purely as a test server for your ASPX pages
prior to uploading them, I suggest you:
1. Do not open any ports on the firewall
2. Make sure that IIS is only listening on the local network (192.168.x.y
subnet)

So, on your local network, you can access IIS just fine and do all the
testing you want. Since no ports are open on the firewall, no external user
can get to this server (or any other machine on your local network) across
the firewall.

Internet <--> ISP <--> Router (64.2.?.?) (HW Firewall with no ports open)
<--> Your PC, Server, etc on the local network (192.168.x.y)

Since you have a firewall with no inbound ports open, you don't need to
worry about external people somehow connecting to your local machines. What
you have to worry about are unauthorized outbound connections -- such as
Trojan/Virus that are somehow induced to run on your local machines and are
OPENING a network connection OUTBOUND across your firewall to some external
entity (i.e. phone-home). This same mechanism is used by many legitimate
programs like email clients, instant messaging clients, browsers, etc... so
many firewalls on the router tend not to block this traffic -- but you can
run firewalls on the individual clients that block both unauthorized inbound
and outbound connections.

Personally, I run firewall on all my machines and my router and control what
ports are open/allowed on each -- I do not believe in having an "Eggshell"
perimeter defense -- since once someone compromises the outer defenses, all
the local machines become vulnerable.

-- 
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"dawg3294" <dawg3294@discussions.microsoft.com> wrote in message
news:582EBFED-1013-4E6D-869D-20388CDA4052@microsoft.com...
thank you, that was a very informative reply.
You've pointed me in the right direction, and I've done more research.  Now,
I have a good understanding about what you're talking about, but I have a
few more
questions:
You are right, this is how I am set up:
> This is one possible network configuration --
> Internet <--> ISP <--> Router (64.2.?.?) (HW Firewall) <--> Your PC,
Server,
> etc on the local network (192.168.x.y)
In order to understand what you're talking about, I tried this, and it
worked:
> When you want expose the web server on the local network to the internet,
> you open up port 80 on the Firewall and forward outside traffic to port 80
> to the internal IP (192.168.x.y) of your web server.  To the outside
world,
> 64.2.?.?:80 exists; the router takes care of routing 64.2.?.?:80 requests
to
> 192.168.x.y:80 of your web server, based on your forwarding rule.
Now, I am able to get to my website by going to
http://64.2.??.??:myportNumber
Now, my question is this:  Is my webserver inaccessible from the outside if
I choose NOT to route 64.2.?.?:80 to 192.168.x.y:80?
If the answer is that the webserver IS still accessible, can you tell me how
people can access it?
If the answer is that the webserver is NOT accessible, can you tell me if
there are any specific security risks in running an intranet from this
computer?
"David Wang [Msft]" wrote:
> 192.168.x.y is an unroutable IP.  It means machines outside the local
subnet
> cannot reference your machine using that IP because no intervening router
> will "route" that request.
>
> 64.2.x.y is likely your WAN IP of your broadband/modem connection.  This
is
> an IP that any machine can reference and is routable.
>
> Just because you cannot get http://192.168.x.y/index.html or
> http://64.2.?.?/index.html to work does not mean that your server is
> inaccessible from the outside.  It only shows that YOU cannot access it
from
> your network client but says nothing about whether the server is actually
> inaccessible from the outside.  Only by knowing how you configured
> networking from your server on up can you determine this.
>
> As for blocking port 80 from the firewall, it depends.  Most firewalls
> prevent outsiders from seeing your machines.  They usually do not prevent
> you from seeing outside machines.
>
>
> This is one possible network configuration --
> Internet <--> ISP <--> Router (64.2.?.?) (HW Firewall) <--> Your PC,
Server,
> etc on the local network (192.168.x.y)
>
> You configure the Firewall on the Router to just block every single port.
> This blocks anyone from the outside from ever seeing any of your local
> network but does not prevent your PCs from contacting the Internet.
>
> When you want expose the web server on the local network to the internet,
> you open up port 80 on the Firewall and forward outside traffic to port 80
> to the internal IP (192.168.x.y) of your web server.  To the outside
world,
> 64.2.?.?:80 exists; the router takes care of routing 64.2.?.?:80 requests
to
> 192.168.x.y:80 of your web server, based on your forwarding rule.
>
> Now, just because you opened port 80 does NOT mean that it is accessible.
> Frequently, ISP will block port 80 traffic from the Internet -- so that
even
> though your 64.2.?.?:80 exists, traffic coming from the Internet get
dropped
> if it's for port 80.
>
> As you can see, networking is just about names (i.e. protocol, IP, Port,
> etc) and connections (the wires between all devices, the routers, the PCs,
> etc).  Anything along the connection between the client and server can
> choose to filter traffic one way or the other (i.e. ISP filtering inbound
> port 80, your firewall filtering all inbound ports, etc), and the names
are
> important to route requests to/from locations along the connections.
>
> I suggest you search for information on basic networking knowledge before
> attempting what you are trying to do, so that you clearly understand what
is
> going on and the security ramifications.
>
> -- 
> //David
> IIS
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> //
> "dawg3294" <dawg3294@discussions.microsoft.com> wrote in message
> news:B705A2BC-9540-4A31-8706-DCE2149283AC@microsoft.com...
> Sorry for the double postings, I keep hitting my normal "paste" keyboard
> shortcut, and it seems to post the message.  Lemme try again:
>
> thanks.  That was helpful.
>
> You're right, my computer has an ip of 192.168.x.y.  I'm new to
networking.
> What is the significance of that number?  Does it mean that it is a
private
> ip that is not accessible from the outside?  Does it mean that my ip is
> proxied?
>
> When i go to one of those "what is my ip" sites, they say 64.2.?.?
>
> When I go home, and try to http://192.168.x.y/index.html or
> http://64.2.?.?/index.html, it does not work.   Is there another way
someone
> can access the server if I can't http to those ips?
>
> Also, is blocking port 80 from the firewall a viable option?  Will
blocking
> port 80 stop people from seeing in, stop me from seeing out to other
sites,
> or both?
>
>
>
> "dawg3294" wrote:
>
> > thanks.  That was helpful.
> >
> > You're right, my computer has an ip of 192.168.x.y.  I'm new to
> networking.
> > What is the significance of that number?  Does it mean
> >
> > When i go to one of those "what is my ip" sites, they say
> >
> > "David Wang [Msft]" wrote:
> >
> > > When you install IIS5, it is going to listen on all network interfaces
> by
> > > default. I do not know whether your internet access from the test
server
> is
> > > via direct connection or proxied.  If it is direct connection (i.e.
the
> test
> > > server is connected to the broadband modem), then your test server is
> live
> > > on the Internet and is probably already hacked if unpatched.  If it is
> > > proxied (i.e. test server is attached to a hub/switch with an internal
> IP
> > > address, and the broadband modem is connected to some other device
which
> > > manages internal/external IP address mapping), then you're probably
Ok,
> but
> > > you still need to patch the server.
> > >
> > > I would seriously consider flattening this server and starting over if
> you
> > > suspect anything on the box, to be safe.
> > >
> > > Network-based attacks do not need domains -- they need an IP address.
> > >
> > > Personally, for testing ASPX pages, there are two approaches.
> > > 1. Use Cassini, which is a simple-minded ASP.Net web server useful
only
> for
> > > testing ASP.Net pages.  Check out www.asp.net for more info
> > > 2a.  Install the Microsoft Loopback adapter (go to add a new HW
Network
> > > Card, and loopback is one of the choices)
> > >   b. Manually configure the IP of the loopback to a private,
> non-routable
> > > address (like 192.168.x.y)
> > >   c. Configure your websites on IIS to only listen on the IP from 2b
> > >   d. (Optionally) configure IP Security in IIS to deny access to all
but
> > > localhost
> > >
> > > In both cases, access to the ASPX page is localhost only.
> > >
> > > -- 
> > > //David
> > > IIS
> > > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> > > //
> > > "dawg3294" <dawg3294@discussions.microsoft.com> wrote in message
> > > news:059FE7FF-F87B-4851-9844-E800A5265D77@microsoft.com...
> > > I am using IIS 5 to run a test server.   (I use it to test my aspx
> > > pages before uploading them to my real server, which outsiders
> > > can see. The server that it is on  has access to the internet, but
> > > I have never set the IIS server to  allow outsiders to view the
> > > website.
> > >
> > > Is there any way outsiders can access the website/server? I
> > > would prefer they not be able to. As I understand it, I would
> > > have to register my domain before IIS hacker vulnerabilities
> > > become an issue. Or does the fact that my computer has
> > > internet access make it possible for people/viruses to access
> > > the server somehow?
> > >
> > > Thanks for any enlightenment. I'm new at this. Also, any
> > > articles you can point me towards for further research would be
> > > appreciated.
> > >
> > >
> > >
>
>
>

• Next message: David Wang [Msft]: "Re: Enabling *.bat files to be served on iis6"
• Previous message: Rachel: "Re: Installation of IIS 6.0 on XP"
• In reply to: dawg3294: "Re: oops again"
• Messages sorted by: [ date ] [ thread ]

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint