Re: Security of IIS - Secure Intranet web site on SBS2003 box

The reference to code red was only an example of an exploit, I was not
trying to be specific to any version of anything. As well as the effect on
IIS there was a known payload which could be used to introduce further
items. IIS6 has never been susceptible to this particular exploit.

Many security people take the stance 'the system has been compromised, trust
nothing about it'.

re: HTTP vs HTTPS and/or RPC over HTTPS

If you open HTTP your whole site must be immune to attack, because the whole
site can be accessed. The other methods require authentication before
further facilities are available. It is less complex to ensure the
authentication mechanism is problem free than ensure all components of a
site are. Of course, if you use simple user/pass combinations it is possible
for someone to authenticate and _then_ run wild.

"Roger Davis" <rogerdav@xxxxxxxxxxxxxxxxxx> wrote in message
news:ONniTvZgFHA.2840@xxxxxxxxxxxxxxxxxxxxxxx
> Yes I should have included keeping up to date with patches in the list.
> Thanks for pointing that out.
>
> I guess a lot of those patches would be required anyway to ensure the
> HTTPS
> stays secure.
> And my test bed SBS2003 seems to run automatic updates without too much
> bother.
>
> Does your reference to CodeRed include the latest IIS ( 6 ? ) as supplied
> with SBS2003 ?
> Because if IIS via HTTPS only is still not considered secure then surely
> the
> same restriction must be applied to running Outlook via RPC over HTTPS.
> That is the point of my thesis. I would rather stick to plain old
> internet
> mail rather than upgrade into a mode where all the "credit card details"
> can
> be stolen or worse modified/deleted messed with.
>
> See what others think.
> Roger
>
>
>
> "SuperGumby [SBS MVP]" <not@xxxxxxxxxxx> wrote in message
> news:uUGB9VWgFHA.2916@xxxxxxxxxxxxxxxxxxxxxxx
>> we've run OWA over HTTPS for a good many years, and not been bitten, but
>> does that mean we won't?
>>
>> Though arguments over the impact of webserver traffic on your office
>> connection are valid it's not the main justification for outhousing. COST
>> IS.
>>
>> How much does it COST you to ensure that not only 'patch Tuesday' patches
>> are applied to your server but also those ones which come out at random?
>> When you patch, you have a choice, either wait for everybody to go home
> and
>> do it outside hours or ask everyone to shutdown during business hours. Is
>> the cost of either alternative on par with outsourcing?
>>
>> A _reasonable_ guestimate suggests a client of mine could pay for
> webhosting
>> for 100 years @ $15/yr rather than pay me a similar amount to take two
> days
>> to rebuild their server and return everything to normal. If their server
> was
>> compromised I WILL NOT promise to return all facilities in two days.
>>
>> Before 'Code Red' IIS was considered reasonably secure. The only way to
>> recover fully from a Code Red violation was to flatten _every_ PC on the
>> network, the possibility existed for not only the Code Red infestation
>> but
>> just about any trojan to walk through your network (once one was coded).
> The
>> consensus of opinion in security circles was 'format C:, no, actually, a
>> format may not be good enough, take the HDD's out of every system and
> throw
>> them in the bin, the _possibility_ exists that not one can be trusted and
>> the effort involved in moving items from 'untrusted' to 'sortta trusted'
>> outweighs the benefits'.
>>
>> Code Red was avoidable by a patch released several months before the
> exploit
>> 'went wild', I gave up paying attention to systems trying to get into
>> mine
>> about three years later.
>>
>> "SBS2003 Upgrader" <rogerdav@xxxxxxxxxxxxxxxxxx> wrote in message
>> news:%23vlXKuUgFHA.1416@xxxxxxxxxxxxxxxxxxxxxxx
>> >
>> >
>> > The user group continues to provide useful advice and the benefits of
>> > others
>> > experiences. Thanks to all who contribute. I have a general policy
>> > type
>> > of
>> > question to raise in the light of "improved security" in the 2003
>> > software.
>> >
>> >
>> >
>> > The more experienced SBS users [ I include herein both the Gurus and
>> > Divas - but not sure about the dog ? ] have usually advised against
>> > running
>> > a public access web server on SBS box. Traffic volume and IIS security
>> > issues seem to be the reasons. "Run the public access web site at the
> ISP"
>> > is probably still very good general advice.
>> >
>> >
>> >
>> > However, if one is only looking at only INTRANET sized traffic for 9
> staff
>> > and 6 directors we can rule out the traffic problem. One is surely
>> > left
>> > only with concerns about IIS related security. If one ever
>> > implements
>> > RPC
>> > over HTTP via SSL for OUTLOOK-EXCHANGE links to users operating in the
>> > field
>> > then one is now running IIS anyway on the SBS2003 server albeit only
>> > via
>> > SSL. Same would apply to providing OWA. Under these conditions, is a
>> > restricted access web server also now safe to run ? The restricted
> access
>> > web site needs to house commercial in confidence documents. Providing
> the
>> > RPC over HTTP via SSL for exchange benefit and enabling IIS to suit
> must
>> > not place any other server based files at risk.
>> >
>> >
>> >
>> > Using only the SSL certificate supplied with SBS2003, and given all the
>> > work
>> > MS has done in the last 2 years to tighten up security in IIS, do you
> all
>> > believe it is now safe to run a restricted access web "site" on the
>> > SBS2003
>> > ?
>> >
>> >
>> >
>> >
>> >
>> > SBS2003 Upgrade from SBS2000 is planned for next week.
>> >
>> >
>> >
>> >
>> >
>> >
>>
>>
>
>


.

Relevant Pages

  • Re: Security of IIS - Secure Intranet web site on SBS2003 box
    ... I guess a lot of those patches would be required anyway to ensure the HTTPS ... Because if IIS via HTTPS only is still not considered secure then surely the ... > to rebuild their server and return everything to normal. ...
    (microsoft.public.windows.server.sbs)
  • RE: NT/IIS decoy
    ... Does anyone know how to hide or mask the identity of a IIS 4.0 or 5.0 server ... Principal Security Consultant ... Best Individual Income Protection Provider 2001 - Health Insurance Magazine ...
    (Pen-Test)
  • Re: IIS6 on W2k3 DCs
    ... How many times in big server land do I see folks that don't have backups ... >But Small Business Server 2003 runs with IIS on our domain controller. ... >Where's MY security risks these days? ... >>By referring to numerous security guides written specifically for NT4 ...
    (Focus-Microsoft)
  • Re: SBS 2003 After Service Pack 1 for SBS
    ... Controllers" groups have been added to the new CERTSVC_DCOM_ACCESS security ... we can have Certificate Services update the DCOM security settings ... down time for the server - probably over a weekend. ... Then please run command "iisreset" to refresh IIS ...
    (microsoft.public.windows.server.sbs)
  • Re: REPOST: IIS4 Security Advice
    ... Well, I assume you know you need more than the latest IIS security patch, ... win 2000, one for IIS, one for Index Server, etc.] ... After installing iislockdown ...
    (microsoft.public.inetserver.iis.security)
Loading