Re: Basic Question (dumb) regarding security

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

I have to respectfully disagree. I know there are others here who
see my point of view. IMO, this debate is still ongoing and essentially
is a matter of strategy and tactics.

It is not ok to host a public website on your SBS, but it is ok to host
a public website on a member server, and since you need to get data
from the SBS, it should be a member of the domain. You'll need to
setup the network and the webserver properly so that only appropriate
access is given for the services required.

It would be less secure or meaningful to open more holes in ISA so
that SBS services (SQL etc) could communicate with the webserver
outside the SBS LAN.
It would instead be better to configure port80 (and/or SSL) access to
the webserver and not allow anything else from the webserver through
ISA. Within the LAN, permit specific access from the webserver
(such as SQL query and updates as a user acct) and nothing else, if
that's all that's needed.

With SBS2k3PE's wizards for ISA, it's not a particularly difficult thing
to do. Since ISA is an application server, it'll filter and allow only
appropriate traffic through - not just anything on port80. Unless
your web application could be hijacked so that the website itself
becomes a backdoor/trojan; I'm not sure that can be done if the
servers are properly configured in the first place. And the SBS
wizards help to do this.

If there's valuable data on the database, it would be a mistake to
put it on a webserver that was unprotected. If your webserver is
protected (by another ISA or equivalent), how is this safer or less
secure if you put the webserver behind the same ISA that protects
SBS? Would't opening more holes in the 2nd firewall (SBS-ISA)
be a bigger compromise?

There's doc which illustrates how having 2 or more firewalls doesn't
stop a penetration. What would stop a hacker are properly setup,
configured and secured servers. No point securing your door and
then leave the key accessible. Or creating a door but because it
needs to be opened so often, it ends up being unlocked or things
are done outside that door.

ok took me a while but managed to find this article:
http://www.microsoft.com/technet/technetmag/issues/2005/01/AnatomyofaHack/default.aspx

Eugene Tan

==============================
"Lanwench [MVP - Exchange]"
<lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:ugXywxHwGHA.4444@xxxxxxxxxxxxxxxxxxxxxxx
In news:eLG8HpHwGHA.4868@xxxxxxxxxxxxxxxxxxxx,
Jon <jon_olson@xxxxxxx> typed:
we have SBS 2003 Premium Edition running as DC with SQL 7.0 running
as well (along with exchange, IIS, etc.).
we are behind a hardware firewall (cisco isr).
we also have a web server in the rack that is not in the domain but is
associated with the domain as a workgroup computer.

We are beginning to create a few web applications that draws data
from SQL running on the SBS server. With the web server not in the
domain authentication is seemingly very difficult. (can't get it to
work ( IWA or SQL by myself or with help from these newsgroups)

Is it a mistake to put the web server inside the main company domain?

Yes, absolutely.

Why? I think the authentication issues would go away

They would.

but what am i
doing in the way of exposing the company system to hackers?

You'd be doing a lot! Don't.

I have
read tons of materials on "best practices" which all seem to point to
very large systems. We have 3 servers. One for the IP phone system
and one running SBS and one running our Web stuff. Perhaps we should
put SQL on the Web Server..

What is the webserver used for, and who needs access to it, and for what?

I just don't know...

duh...

jon

Frankly, I wouldn't want the public webserver on the LAN at all. If you
must have a public webserver in house, it should be in a DMZ.






.

Relevant Pages

  • Re: RWW Timing
    ... If you have installed ISA, ... Expand the server node and highlight ''Monitoring''. ... In the following website you can find many useful resources related to SBS ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: DHCP Issues. Very strange
    ... default order of rule in ISA 2004. ... Windows SharePoint Services intranet site, ... server certificate on Web server name column and then click Next. ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS VPN setup?
    ... The 2-nic configuration is used when the SBS server will *also* act as your network's firewall. ... You purchase 2k3 PREMIUM and that comes with ISA to handle the firewall duties. ... To compare apples to apples, let us assume there is a network setup as I outlined above...and the firewall appliance is an ISA server, such as those available from Celestix. ...
    (microsoft.public.windows.server.sbs)
  • RE: ISA access rules, help
    ... please let me know whether you're using ISA 2000 or ISA 2004 ... (SBS SP0 or SBS SP1). ... the ISA server will not be used as a proxy server. ... Since SBS already used port 80, ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS Advice Please
    ... Notice that the netgear router will be infront of ISA. ... Javier [SBS MVP] ... > SQL server as it is the protected patient data. ... >> always keeps a copy of the profiles (even if you are using roaming ...
    (microsoft.public.windows.server.sbs)