Re: Default Web Configuration/Status
- From: gbchriste <gbchriste@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 21 Mar 2007 11:00:23 -0700
Thanks for the input. I am familiar with all the ways my authorized users
can access these resources externally.
https://intranet.mydomain.org/remote takes them to RWW
https://intranet.mydomain.org:444 drops them directly on the CompanyWeb
Sharepoint site
https://intranet.mydomain.org/exchange drops them directly on to OWA
My concern was more about how to handle the casual non-authorized user who
stumbles across http://intranet.mydomain.org.
I don't want some busy beaver with too much time on his hands to be sitting
there looking at those links that say "Connect My Computer To The Network"
and decide he'll keep giving that a try until he succeeds. Same with Company
Email.
Here's what I did. I removed Anonymous from the Default Web root directory.
Left everything else as is. External browsers trying to hit
http://intranet.mydomain.org now get a Windows logon prompt.
Browsers visitng https://intranet.mydomain.org:444 also get a Windows logon
prompt and then are placed into the CompanyWeb Sharepoint site.
Browsers visiting any of the other resources like OWA, RWW, etc, get the
web-based login page for that resource.
"SBS2K3 Admin" wrote:
SEE MY COMMENTS INSERTED BELOW IN CAPS..
"gbchriste" <gbchriste@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E1B1A927-080E-403B-8E79-FE568D902051@xxxxxxxxxxxxxxxx
The conventional wisdom is that SBS should not host the organization's
public
web site.
In our case, www.mydomainname.org points to a publiclly hosted web site at
an external host. intranet.mydomainname.org points to my SBS host and MX
record.
THIS IS CORRECT AND THE WAY YOU SHOULD HAVE YOUR EXTERNAL COMPANY PUBLIC
WEBSITE SETUP.
If so, what should the operational status and configuration of the Default
Web Site be? If I browse to the default web site via
intranet.mydomainname.org from outside the LAN, I get the SBS Welcome
screen
with the links for My Company's Internal Web Site, Network Configuration
Wizard, Remote Web Workplace, and Information and Answers.
WHAT YOU ARE SEEING IS THE SBS COMPANYWEB THAT SHOULD BE ACCESSABLE
INTERNALLY BY HTTP://COMPANYWEB AND YOU SHOULD HAVE BOTH ANNONYMOUS AND
INTEGRATED WINDOWS AUTHENTICATION ENABLED. NO NEED FOR YOUR EMPLOYEES TO
HAVE TO BE AUTHENTICATED FROM ACCESSING INTERNALLY.
Seems to me those are things I don't want the public to see. I don't give
the intranet.mydomainname.org URL out to anyone outside the organization
but
someone could still find that server via IP address.
FOR THE COMPANYWEB TO ALLOW ACCESS EXTERNALLY YOU SHOULD NOT ENABLE
ANNONYMOUS AND ENABLE INTEGRATED WINDOWS AUTHENTICATION. THIS SHOULD BE
ACCESSABLE EXTERNALYY FROM HTTPS://FQDN OR EXTERNAL IPADDRESS:444
But don't I have to have the Default Web up and operating for my
organization users? The main item of interest is RWW. I can point them
to
http://intranet.mydomainname.org/remote to get there but they are still
coming in to the default web on port 80.
FOR REMOTE THEY SHOULD BE GETTING THERE EXTERNALLY FROM HTTPS://FQDN OR
EXTERNAL IPADDRESS/REMOTE AND FOR OWA THEY SHOULD BE GETTING THERE BY
HTTPS://FQDN OR EXTERNAL IPADDRESS/EXCHANGE
Do I need to edit the default welcome page to remove all those links and
just put a message that directs people to www.mydomainname.org at our
external web host? Any other suggestions for reducing or eliminating this
attack surface?
Thanks,
- Follow-Ups:
- Re: Default Web Configuration/Status
- From: WK
- Re: Default Web Configuration/Status
- References:
- Re: Default Web Configuration/Status
- From: SBS2K3 Admin
- Re: Default Web Configuration/Status
- Prev by Date: Re: SBS 2003, lost companyweb
- Next by Date: Public Access on Private Network
- Previous by thread: Re: Default Web Configuration/Status
- Next by thread: Re: Default Web Configuration/Status
- Index(es):
Relevant Pages
|
