Re: webdav on SBS2003
From: Tony Su (anonymous_at_discussions.microsoft.com)
Date: 03/28/04
- Next message: Chris Lambrou: "Re: Problems with Intranet"
- Previous message: Rebecca L. Casselman [MSFT]: "RE: Problem with Terminal Services Client"
- In reply to: MCTrainer: "Re: webdav on SBS2003"
- Next in thread: MCTrainer: "Re: webdav on SBS2003"
- Messages sorted by: [ date ] [ thread ]
Date: Sun, 28 Mar 2004 10:51:18 -0800
With Security and the value of a DMZ, it's all a matter of
perspective.
Traditional FW architecture describes a DMZ, and in many
situations it is still preferable.
But, for most people ISA publishing can be a good
substitute and although you may lessen the barrier between
your perimeter resources and your LAN, it doesn't mean
compromise.
DMZ - Clearly defined barriers between Internet and DMZ,
DMZ and LAN. By clearly defining the barriers, very
specific rules are implemented to permit traffic between
each zone. Compromise in one zone can generally be
restricted to that zone because the barriers communicating
with another zone are so high.
Web Publishing - Clearly defined barrier between a
perimeter resource and the Internet. Benefit compared to
DMZ is that the entire server isn't exposed in the zone,
only very specific slices of functionality. Because the
perimeter resource might be located in a LAN (although can
also be in a DMZ), you depend on Windows Security to
control access. The disadvantage is that if the machine is
compromised, potentially it could infect your LAN. The
advantage is that when the machine is in your LAN, then
it's simple to configure LAN permissions to access the
resources (like any other LAN server).
It all depends on how much faith you have in the power of
ISA and Windows... taking into account the chances of
compromise due to mistakes even if you believe the
technology is sound.
Personally, unless I needed DoD type security, normal ISA
Publishing is plenty fine and feel a conventional DMZ
isn't that necessarily.
But, I am willing to put my faith in Microsoft security...
IMO ISA is far stronger than your typical firewall facing
the Internet, and appreciate the fewer issues configuring
User access to resources.
And, unlike others I see <no reason> not to publish
websites on SBServer. I recommend an el cheapo FW
appliance in front, but <no one> has shown me yet how an
SBServer running ISA and public websites can be
compromised... although I will say that the margin of
error is considerably smaller than physical defense in
depth.
:)
Tony Su
>-----Original Message-----
>I think you missed his question;
>
>He is ADDING a web server to his network. He is not
asking how to make the
>SBS Server a Web Server which as you know should not be
done.
>
>He already has a DMZ between his router and his SBS
server and that is where
>Microsoft recommends placing a web server in all of their
Security white
>papers and security curriculums.
>
>
>
>
>"Tony Su" <anonymous@discussions.microsoft.com> wrote in
message
>news:14f2601c414c9$dbbc0190$a101280a@phx.gbl...
>> Do not recommend what MCTrainer has suggested.
>>
>> You can configure your SBServer ISA to Web Publish or
>> Server Publish specified resources instead of
configuring
>> a conventional DMZ.
>>
>> As for WebDAV, <do not> configure it through the Control
>> Panel as MCTrainer has described... that's a bad mistake
>> (personal experience). Enable using the Server
Management
>> tool for your Win2K3 Server which looks completely
>> different from the Server Management tool for SBS.
>>
>> Good sources for instructions:
>> Featurepack1 docs are very good.
>> Articles on isaserver.org are good.
>> I also recommend my Web Publishing Companyweb as a
>> comprehensive description of not only Web Publishing but
>> also configuring a number of supporting apps to give
>> yourself best flexibility and security
>> www.su-networking.com/faq/
>> (click on first link)
>>
>> Tony Su
>>
>>
>>
>> >-----Original Message-----
>> >If you are running a DSL, Cisco Pix or other NAT router
>> outside of your
>> >2-NIC SBS Server, you have <in effect> a perimeter
>> network or DMZ - you
>> >medium security network where your web server should
go.
>> Place your web
>> >server inside the NAT router and outside of the SBS
>> Server. This server
>> >should be a stand-alone server - not a member of your
>> domain.
>> >
>> >When your internal clients access this server, they
will
>> access it like
>> >other internet client using the public DNS address of
>> your network, rather
>> >than an internal address.
>> >
>> >WebDav can be enable in the Web Service Extensions node
>> of IIS on any
>> >Windows 2000 or 2003 server, or even the SBS Server if
>> you wish.
>> >
>> >"duncan sutherland"
<anonymous@discussions.microsoft.com>
>> wrote in message
>> >news:149a001c4147d$8f8174f0$a401280a@phx.gbl...
>> >> I want to add a second server to my SBS2003 network
to
>> >> function as a web server. What are the best practices
>> for
>> >> configuring same, given that I am using ISA? Can the
>> >> server be configured to use Webdav and, if so, how?
>> >> Thanks!
>> >
>> >
>> >.
>> >
>
>
>.
>
- Next message: Chris Lambrou: "Re: Problems with Intranet"
- Previous message: Rebecca L. Casselman [MSFT]: "RE: Problem with Terminal Services Client"
- In reply to: MCTrainer: "Re: webdav on SBS2003"
- Next in thread: MCTrainer: "Re: webdav on SBS2003"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
