Re: Urgent: Problem setting up web site hosting on SBS03 with ISA
- From: Joe <joe@xxxxxxxxxxxxxx>
- Date: Thu, 24 Jan 2008 21:17:19 +0000
501c3help wrote:
I have to play a little devil's advocate here. The overwhelming consensus of opinion is that SBS and public web hosting are fundamentally incompatible and should never be done. In the interest of sparking disucssion, we will all stipulate that there are obvious security issues here. On the other side of the coin, perhaps we can also stipulate that many of these issues can be mitigated by a knowledgable administrator who has the skill and experience to properly configure all aspects of the server (note I said "mitigate", i.e. reduce - not "eliminate"). Still, one must carefully evaluate the risk vs. benefit of having port 80 access open to your LOB server.
So, I put it to a question. What's so unique about the vulnerability of port 80 as opposed to the other avenues of attack that SBS presents on the external network, inparticular those that also rely on IIS for their core functions (e.g. RWW, OWA).
OK, let's be realistic. Unless new vulnerabilities in IIS are discovered, hosting static HTML pages is probably fairly safe.
But read again what the OP proposes, and Google 'SQL injection', '"cross-site scripting"' and the latter's usual abbreviation 'xss'. You'll get a total of about 10 million hits, many of which will overlap, of course. Here's one to start you off:
http://www.securiteam.com/securityreviews/5DP0N1P76E.html
I'm not a web developer, I dabble with PHP and SQL on my own server and have a number of household databases accessible in this way. I believe my scripts are secure, but I do know enough to know that I don't know enough to be sure, and there's no way I would ever expose them to the Net.
I do have one PHP/SQL site up on the web for a client, it's very simple, it uses basic authentication and accepts an extremely limited range of input, and I'm *still* not going to tell you where it is. It's externally hosted, on a server which offers PHP/SQL facilities for about 30 USD a month. Its database is kept synchronised (to within ten minutes) to a master Access/SQL database on the customer's premises by means of email. There is *no* traffic the other way: my client has no exploitable services open to the Net.
I never once considered hosting the service on the client's own network, and he agreed, despite having the most awesome grasp of 'cost control' of anyone I've ever met. He could see quite easily that a single incident would cost the equivalent of several years' hosting.
*That's* what's unique about port 80 (and 443, for that matter: https confers no kind of protection to a web server, it's there to prevent deception of a client). A modern web server running scripts and hooked up to a database is by far the most complex kind of server on the Net, and in IT, complexity brings vulnerability. And while the OP's ASP work will no doubt have been done by 'an experienced web developer', I think everyone knows how much bluffing goes on in IT, and it may have been thrown together by someone no more competent at it than I am.
The other issue here is not specifically about web serving, but the inevitable weakness of the SBS in being a basket containing *all* of the company's eggs. I'd recommend against in-house public web serving, but if done at all, it should be done by a machine which is expendable, and unable to reach the parts of the network which are not.
.
- Follow-Ups:
- Re: Urgent: Problem setting up web site hosting on SBS03 with ISA
- From: ChristopherDeMars
- Re: Urgent: Problem setting up web site hosting on SBS03 with ISA
- Prev by Date: Re: ISA... block incoming from certain IPs
- Next by Date: Re: Network desintegrating(?)
- Previous by thread: Re: Software management
- Next by thread: Re: Urgent: Problem setting up web site hosting on SBS03 with ISA
- Index(es):
Relevant Pages
|
Loading
