Re: Security of IIS - Secure Intranet web site on SBS2003 box

---

• From: "SuperGumby [SBS MVP]" <not@xxxxxxxxxxx>
• Date: Tue, 5 Jul 2005 23:36:01 +1000

---

whoops, sorry, 100 months.

not even I can get webhosting _that_ cheap.

"SuperGumby [SBS MVP]" <not@xxxxxxxxxxx> wrote in message
news:uUGB9VWgFHA.2916@xxxxxxxxxxxxxxxxxxxxxxx
> we've run OWA over HTTPS for a good many years, and not been bitten, but
> does that mean we won't?
>
> Though arguments over the impact of webserver traffic on your office
> connection are valid it's not the main justification for outhousing. COST
> IS.
>
> How much does it COST you to ensure that not only 'patch Tuesday' patches
> are applied to your server but also those ones which come out at random?
> When you patch, you have a choice, either wait for everybody to go home
> and do it outside hours or ask everyone to shutdown during business hours.
> Is the cost of either alternative on par with outsourcing?
>
> A _reasonable_ guestimate suggests a client of mine could pay for
> webhosting for 100 years @ $15/yr rather than pay me a similar amount to
> take two days to rebuild their server and return everything to normal. If
> their server was compromised I WILL NOT promise to return all facilities
> in two days.
>
> Before 'Code Red' IIS was considered reasonably secure. The only way to
> recover fully from a Code Red violation was to flatten _every_ PC on the
> network, the possibility existed for not only the Code Red infestation but
> just about any trojan to walk through your network (once one was coded).
> The consensus of opinion in security circles was 'format C:, no, actually,
> a format may not be good enough, take the HDD's out of every system and
> throw them in the bin, the _possibility_ exists that not one can be
> trusted and the effort involved in moving items from 'untrusted' to
> 'sortta trusted' outweighs the benefits'.
>
> Code Red was avoidable by a patch released several months before the
> exploit 'went wild', I gave up paying attention to systems trying to get
> into mine about three years later.
>
> "SBS2003 Upgrader" <rogerdav@xxxxxxxxxxxxxxxxxx> wrote in message
> news:%23vlXKuUgFHA.1416@xxxxxxxxxxxxxxxxxxxxxxx
>>
>>
>> The user group continues to provide useful advice and the benefits of
>> others
>> experiences. Thanks to all who contribute. I have a general policy type
>> of
>> question to raise in the light of "improved security" in the 2003
>> software.
>>
>>
>>
>> The more experienced SBS users [ I include herein both the Gurus and
>> Divas - but not sure about the dog ? ] have usually advised against
>> running
>> a public access web server on SBS box. Traffic volume and IIS security
>> issues seem to be the reasons. "Run the public access web site at the
>> ISP"
>> is probably still very good general advice.
>>
>>
>>
>> However, if one is only looking at only INTRANET sized traffic for 9
>> staff
>> and 6 directors we can rule out the traffic problem. One is surely left
>> only with concerns about IIS related security. If one ever implements
>> RPC
>> over HTTP via SSL for OUTLOOK-EXCHANGE links to users operating in the
>> field
>> then one is now running IIS anyway on the SBS2003 server albeit only via
>> SSL. Same would apply to providing OWA. Under these conditions, is a
>> restricted access web server also now safe to run ? The restricted
>> access
>> web site needs to house commercial in confidence documents. Providing
>> the
>> RPC over HTTP via SSL for exchange benefit and enabling IIS to suit
>> must
>> not place any other server based files at risk.
>>
>>
>>
>> Using only the SSL certificate supplied with SBS2003, and given all the
>> work
>> MS has done in the last 2 years to tighten up security in IIS, do you all
>> believe it is now safe to run a restricted access web "site" on the
>> SBS2003
>> ?
>>
>>
>>
>>
>>
>> SBS2003 Upgrade from SBS2000 is planned for next week.
>>
>>
>>
>>
>>
>>
>
>


.

---

• References:
  • Security of IIS - Secure Intranet web site on SBS2003 box
    • From: SBS2003 Upgrader
  • Re: Security of IIS - Secure Intranet web site on SBS2003 box
    • From: SuperGumby [SBS MVP]

• Prev by Date: Re: SP1 ISA fails to upgrade MSDE SP3
• Next by Date: Re: PC Software Audit
• Previous by thread: Re: Security of IIS - Secure Intranet web site on SBS2003 box
• Next by thread: Re: Security of IIS - Secure Intranet web site on SBS2003 box
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: RPC Over HTTP (External) ... Oh Ok no SSL ... causing the RPC proxy server not to trust the connection. ... i set use HTTP first for fast connection. ... (microsoft.public.exchange.admin) Re: OWA - changing passwords ... Install and configure Secure Socket Layer (SSL) on the server. ... Set Up an HTTPS Service in IIS ... (microsoft.public.exchange.admin) Re: Web service deployment security ... The problem is that the IIS server machine which I use for tests is not from ... the Windows "server" family so I don't have the Certificate Server. ... Is there another way to get a certificate to test SSL connection? ... (microsoft.public.dotnet.framework.webservices) Re: SBS 2003 SP1 Exchange 2003 SP2 cant ActiveSync ... First you need to make sure that the directory structure in IIS has the ... correct permissions for OMA, OWA, and Activesync. ... I have tried without SSL and still no ... >> server, and Sprints EVDO data service uses a proxy to ... (microsoft.public.pocketpc.activesync) Re: ModSSL - Knoppix 3.3 ... NameVirtualHosts and SSL don't mix. ... This automatically pushes an incorrect http request to the secure host over ... > I create some server key & crt. ... (Focus-Linux)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(18)