Re: Urgent: Problem setting up web site hosting on SBS03 with ISA
- From: ChristopherDeMars <ChristopherDeMars@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 24 Jan 2008 20:55:00 -0800
I appreciate all of your input. It has helped more than you may know... After
showing the owner all of these expert opinions, he was finally convinced that
it was not just me trying to get him to spend more money on IT equipment!!!
He has agreed to purchase an additional server (although very cheap and not
powerful) to host the web site. I will set this up as recommened by Microsoft
by placing the web server outside the secure internal network, and thus it
will be expendable.
In the mean time (four weeks) he wants the web site hosted on the server we
do have. To this end I will enable it for a short time. I have figured out
how to get it working, I made a simple mistake in how I set up the Filter.
See one of the other replies to get the full info on what I did for all of
those who are still risky enough to publish a web site on a LOB SBS server.
Thanks again everyone!
I have to play a little devil's advocate here. The overwhelming consensus of
opinion is that SBS and public web hosting are fundamentally incompatible and
should never be done. In the interest of sparking disucssion, we will all
stipulate that there are obvious security issues here. On the other side of
the coin, perhaps we can also stipulate that many of these issues can be
mitigated by a knowledgable administrator who has the skill and experience to
properly configure all aspects of the server (note I said "mitigate", i.e.
reduce - not "eliminate"). Still, one must carefully evaluate the risk vs.
benefit of having port 80 access open to your LOB server.
So, I put it to a question. What's so unique about the vulnerability of
port 80 as opposed to the other avenues of attack that SBS presents on the
external network, inparticular those that also rely on IIS for their core
functions (e.g. RWW, OWA).
OK, let's be realistic. Unless new vulnerabilities in IIS are
discovered, hosting static HTML pages is probably fairly safe.
But read again what the OP proposes, and Google 'SQL injection',
'"cross-site scripting"' and the latter's usual abbreviation 'xss'.
You'll get a total of about 10 million hits, many of which will overlap,
of course. Here's one to start you off:
I'm not a web developer, I dabble with PHP and SQL on my own server and
have a number of household databases accessible in this way. I believe
my scripts are secure, but I do know enough to know that I don't know
enough to be sure, and there's no way I would ever expose them to the Net.
I do have one PHP/SQL site up on the web for a client, it's very simple,
it uses basic authentication and accepts an extremely limited range of
input, and I'm *still* not going to tell you where it is. It's
externally hosted, on a server which offers PHP/SQL facilities for about
30 USD a month. Its database is kept synchronised (to within ten
minutes) to a master Access/SQL database on the customer's premises by
means of email. There is *no* traffic the other way: my client has no
exploitable services open to the Net.
I never once considered hosting the service on the client's own network,
and he agreed, despite having the most awesome grasp of 'cost control'
of anyone I've ever met. He could see quite easily that a single
incident would cost the equivalent of several years' hosting.
*That's* what's unique about port 80 (and 443, for that matter: https
confers no kind of protection to a web server, it's there to prevent
deception of a client). A modern web server running scripts and hooked
up to a database is by far the most complex kind of server on the Net,
and in IT, complexity brings vulnerability. And while the OP's ASP work
will no doubt have been done by 'an experienced web developer', I think
everyone knows how much bluffing goes on in IT, and it may have been
thrown together by someone no more competent at it than I am.
The other issue here is not specifically about web serving, but the
inevitable weakness of the SBS in being a basket containing *all* of the
company's eggs. I'd recommend against in-house public web serving, but
if done at all, it should be done by a machine which is expendable, and
unable to reach the parts of the network which are not.
- Prev by Date: Re: network settings question on new setup 2003sbs
- Next by Date: Re: at&t cut our internet connection
- Previous by thread: Re: Urgent: Problem setting up web site hosting on SBS03 with ISA
- Next by thread: at&t cut our internet connection