Re: Security of IIS - Secure Intranet web site on SBS2003 box
- From: "Roger Davis" <rogerdav@xxxxxxxxxxxxxxxxxx>
- Date: Wed, 6 Jul 2005 05:57:47 +1000
Yes I should have included keeping up to date with patches in the list.
Thanks for pointing that out.
I guess a lot of those patches would be required anyway to ensure the HTTPS
stays secure.
And my test bed SBS2003 seems to run automatic updates without too much
bother.
Does your reference to CodeRed include the latest IIS ( 6 ? ) as supplied
with SBS2003 ?
Because if IIS via HTTPS only is still not considered secure then surely the
same restriction must be applied to running Outlook via RPC over HTTPS.
That is the point of my thesis. I would rather stick to plain old internet
mail rather than upgrade into a mode where all the "credit card details" can
be stolen or worse modified/deleted messed with.
See what others think.
Roger
"SuperGumby [SBS MVP]" <not@xxxxxxxxxxx> wrote in message
news:uUGB9VWgFHA.2916@xxxxxxxxxxxxxxxxxxxxxxx
> we've run OWA over HTTPS for a good many years, and not been bitten, but
> does that mean we won't?
>
> Though arguments over the impact of webserver traffic on your office
> connection are valid it's not the main justification for outhousing. COST
> IS.
>
> How much does it COST you to ensure that not only 'patch Tuesday' patches
> are applied to your server but also those ones which come out at random?
> When you patch, you have a choice, either wait for everybody to go home
and
> do it outside hours or ask everyone to shutdown during business hours. Is
> the cost of either alternative on par with outsourcing?
>
> A _reasonable_ guestimate suggests a client of mine could pay for
webhosting
> for 100 years @ $15/yr rather than pay me a similar amount to take two
days
> to rebuild their server and return everything to normal. If their server
was
> compromised I WILL NOT promise to return all facilities in two days.
>
> Before 'Code Red' IIS was considered reasonably secure. The only way to
> recover fully from a Code Red violation was to flatten _every_ PC on the
> network, the possibility existed for not only the Code Red infestation but
> just about any trojan to walk through your network (once one was coded).
The
> consensus of opinion in security circles was 'format C:, no, actually, a
> format may not be good enough, take the HDD's out of every system and
throw
> them in the bin, the _possibility_ exists that not one can be trusted and
> the effort involved in moving items from 'untrusted' to 'sortta trusted'
> outweighs the benefits'.
>
> Code Red was avoidable by a patch released several months before the
exploit
> 'went wild', I gave up paying attention to systems trying to get into mine
> about three years later.
>
> "SBS2003 Upgrader" <rogerdav@xxxxxxxxxxxxxxxxxx> wrote in message
> news:%23vlXKuUgFHA.1416@xxxxxxxxxxxxxxxxxxxxxxx
> >
> >
> > The user group continues to provide useful advice and the benefits of
> > others
> > experiences. Thanks to all who contribute. I have a general policy type
> > of
> > question to raise in the light of "improved security" in the 2003
> > software.
> >
> >
> >
> > The more experienced SBS users [ I include herein both the Gurus and
> > Divas - but not sure about the dog ? ] have usually advised against
> > running
> > a public access web server on SBS box. Traffic volume and IIS security
> > issues seem to be the reasons. "Run the public access web site at the
ISP"
> > is probably still very good general advice.
> >
> >
> >
> > However, if one is only looking at only INTRANET sized traffic for 9
staff
> > and 6 directors we can rule out the traffic problem. One is surely left
> > only with concerns about IIS related security. If one ever implements
> > RPC
> > over HTTP via SSL for OUTLOOK-EXCHANGE links to users operating in the
> > field
> > then one is now running IIS anyway on the SBS2003 server albeit only via
> > SSL. Same would apply to providing OWA. Under these conditions, is a
> > restricted access web server also now safe to run ? The restricted
access
> > web site needs to house commercial in confidence documents. Providing
the
> > RPC over HTTP via SSL for exchange benefit and enabling IIS to suit
must
> > not place any other server based files at risk.
> >
> >
> >
> > Using only the SSL certificate supplied with SBS2003, and given all the
> > work
> > MS has done in the last 2 years to tighten up security in IIS, do you
all
> > believe it is now safe to run a restricted access web "site" on the
> > SBS2003
> > ?
> >
> >
> >
> >
> >
> > SBS2003 Upgrade from SBS2000 is planned for next week.
> >
> >
> >
> >
> >
> >
>
>
.
- Follow-Ups:
- Re: Security of IIS - Secure Intranet web site on SBS2003 box
- From: SuperGumby [SBS MVP]
- Re: Security of IIS - Secure Intranet web site on SBS2003 box
- References:
- Security of IIS - Secure Intranet web site on SBS2003 box
- From: SBS2003 Upgrader
- Re: Security of IIS - Secure Intranet web site on SBS2003 box
- From: SuperGumby [SBS MVP]
- Security of IIS - Secure Intranet web site on SBS2003 box
- Prev by Date: Re: New Exchange Server
- Next by Date: Service Pack 1 Issues
- Previous by thread: Re: Security of IIS - Secure Intranet web site on SBS2003 box
- Next by thread: Re: Security of IIS - Secure Intranet web site on SBS2003 box
- Index(es):
Relevant Pages
|
