Re: WWW on SBS2k3
From: Tony Su (anonymous_at_discussions.microsoft.com)
Date: 07/27/04
- Next message: Roddy Matheson: "Re: Good Antivirus Software"
- Previous message: Franz Leu: "Re: Good Antivirus Software"
- In reply to: SuperGumby [SBS MVP]: "Re: WWW on SBS2k3"
- Next in thread: Roddy Matheson: "Re: WWW on SBS2k3"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 27 Jul 2004 07:32:41 -0700
The answer should be the usual answer..."It depends."
It Depends
- Whether you intend to be diligent maintaining your
Serverver
- Whether your website is built on a "less secure"
technology (lots of room for opinions there)
- Whether your Webmasters who write code understand
exploit concepts and what to avoid
- If you're storing sensitive data which can't be exposed
- Mal is not entirely correct, any Server application
which is already part of a new Server installation can run
on that box, and IIS is part of all Windows servers. So,
if you wish to forward to a Member or Standalone server
for Web Hosting, you drastically decrease your attack
surface on SBServer itself.
There is probably no absolute piece required to safely
host a Public Website(including whether ISA is an
essential piece or not) and safety/security is a sliding
scale of subjective and cost evaluation. A safe and proper
solution might take many forms.
But, until someone posts a comprehensive "How-to"
describing the special issues surrounding SBS or you feel
very confident in your own abilities, I recommend you
tread carefully and gather all the information you can.
Personally, I believe that complete avoidance of deploying
Public Website(s) ignores its special pros and cons... the
drawbacks have been described by others... here are some
positives...
- Architecture supporting WAN clients focuses point of
failure on a single application/access, IIS.
- Far superior to permitting VPNs with their many points
of failure and mixing of Internet and LAN security zones.
- Not a new technology, has long history of hardening
although I would prefer to see the abilitily to better
turn on and off and specifically apply functionality to
specific access (right now, except for memory pooling
practically everything is turned on and off for and to
everything)
- The world is moving towards operating over port 80 (and
443 optionally) instead of multiple ports unless
performance and QoS protocol issues are involved for
greater remote user support.
In other words, if a website solution is available, more
than likely it's <safer> overall than the alternative and
you might get a performance benefit as well.
In fact, this is where I believe the future of SBS must
go... :)
ie. Companyweb, OWA, and similar web-based technologies...
Even approaches like RWW which might use a Web-based
gateway to a non-HTML solution.
Tony Su
>-----Original Message-----
>don't run exchange on a webserver
>don't run exchange on your firewall
>don't run your only DC as a webserver, firewall,
fileserver and exchange
>
>BUT WHY?
>
>OK, port 80. The most interesting port on the planet. No
spectacular exploit
>is running around today but is that going to be the case
tomorrow? If a
>blackhat can ping you he's probably going to look at port
80.
>
>Is the cost of maintaining it yourself more or less than
a webhosting
>agreement? I'm thinking here of webhosting costs over a
few years vs the
>cost of ONE 'server down, server dirty' incident.
>
>Is your SBS connected to a 100Mbps backbone? If not, web
traffic making
>requests of your SBS hosted WWW is going to impact
performance for all users
>behind the SBS.
>
>Running the webserver in a DMZ behind a suitable firewall
device is a good
>idea but you still have to maintain it.
>
>"Mal Osborne" <malcolmo@silverfern.com.au> wrote in
message
>news:eRmXPp6cEHA.644@tk2msftngp13.phx.gbl...
>> SBS forces you to install all components on a single
box. Best practice
>> security wise is:
>>
>> Do not run a public web server on a DC.
>> Do not run ISA on a DC.
>> Do not run ISA on a public web server.
>> Do not store confidendial files on a web server.
>>
>> Running SBS as a public web server forces you not to
comply with any of
>this
>> best practice, & so involves some compromise. If
your web server is
>> hacked, your whole site is. Your idea of running a
seperate Web server
>in
>> a DMZ is probably the best way to go here. If the web
server IS
>> compromised, chances are that only it will be, not your
entire internal
>> network
>>
>> Mal Osborne
>> MCSE MVP Mensa
>>
>>
>> "Malcolm Cheyne" <malcolm@XXXXsbca.com.au> wrote in
message
>> news:%23BYIx15cEHA.3016@tk2msftngp13.phx.gbl...
>> >I have to turn to the gurus for some
advice...... "Better
>> > to learn from those that have trodden the ground than
blaze
>> > a trail through the minefield".
>> >
>> > Having read numerous posts about NOT hosting your web
site/s
>> > on the SBS server I am still curious as to why it
should not
>> > be done. Yes, I know, vulnerability and all that
sort of
>> > thing. I thought that was what firewalls and really
rugged
>> > software was all about - (try to) keep the hackers
out.
>> > Are we saying SBS can't hack the pace in this
respect? I
>> > know hosting externally is one option but we may have
>> > multiple web sites. OK, maybe only two or three :-).
>> >
>> > I have SBS2k3 STD with a two NIC setup. A
router/switch is
>> > connected to the ADSL (512/128) modem. Internally I
have
>> > another switch with Belkin 54g wireless networking and
>> > cables to a couple of printers and my workstation.
We have
>> > our domain name registered, MX record with dynDNS,
and all
>> > aspects of SBS now functioning correctly. e.g. I can
log in
>> > remotely and check the server and workstations; and
use OWA.
>> > Thanks to a lot of people in this NG who helped me
along the
>> > way.
>> >
>> > Do we have a link to "How to setup your www on
SBS2k3"?
>> > (No results from Google)
>> >
>> > If I have a lot of negative response to doing this I
was
>> > thinking of setting up a second computer as follows:
>> >
>> > Connect our spare computer (P3/512MB XP Pro) to one
of the
>> > ports on the router/switch. Install Apache Web Server
>> > (something else to learn :-) ) and setup our web
pages on
>> > that.
>> >
>> > Any comments would be appreciated.....
>> >
>> > Malcolm
>> >
>> >
>> >
>> >
>>
>>
>
>
>.
>
- Next message: Roddy Matheson: "Re: Good Antivirus Software"
- Previous message: Franz Leu: "Re: Good Antivirus Software"
- In reply to: SuperGumby [SBS MVP]: "Re: WWW on SBS2k3"
- Next in thread: Roddy Matheson: "Re: WWW on SBS2k3"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
