Putting a website on the office network

Posted on 2003-12-09
Medium Priority
Last Modified: 2013-12-04
My company has a MAIN office and an EXTERNAL office in different cities.
We wish to maintain a simple “list of product codes” that is shared between both offices and is updateable from either office.
Each office has at most 2 computers and 2 staff. We dont have the budget to purchase a leased line between the 2 offices so we are trying to exploit "broadband internet" which has just entered the market in our country.
There is little or no high risk or confidential information in either office including the “list of product codes”.

My plan is to build a simple web-based application, place a webserver (a Misrosoft IIS webserver) in the MAIN office with a broadband internet connection (with which we get a fixed IP address).

When the EXERNAL office wishes to view/update the client details they just log on to http://xxx.yyy.zzz.aaa.

Even though there is no sensitive information on the webserver or the other computers I am concerned about viruses being placed on the webserver or any other connected computer.

As one security measure I will make "Anonymous Access" on the website unavailable; and using the “integrated windows authentication” option, make the data only visible to one ACL.

My questions are:
1. Give that there are no huge security concerns do I still need to have a DMZ ?
2. Would making the website available on a port number other than 80 make the system more secure ?
3. Any other issues I have forgotten about, as I have never done this before?

Thanks in advance
Question by:eamonroche
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Assisted Solution

Sebo2000 earned 200 total points
ID: 9905772
Great plan, I'm just wondering what kind of data you will have on your web.

If you have properly confirure IIS with all the patches and fixes you don't need DMZ, if you set up the site on highier port eg 33333 it will be more secure, not many ppl is scanning all the ports plus default port is always atacked by trojans etc.

Make sure you set up all the ACL properly.
In you case if you have a text data maybe you can try already build applications to give user access to the data.
http://www.eshop-server.com/ install it and run the test , you will be able to give user access to documents based on their login it's preaty secure and has a lot of options, and administration panle is preaty good, you will need SQL to install it.
I adopted that for very similar project like yours.
Take Care
LVL 13

Assisted Solution

Gnart earned 200 total points
ID: 9908930
At most just 2 computers:

1)  Put anti-virus.
2)  Put host based firewall - turn off any ports that you don't need - Netbios....
3)  Your broadband routers come with DMZ -  you can use it if you want - it provides
a little more security to the other PC on the local net.
4)  Change the ports if your website is access only internally.  It provides a little more security.

Wants more security - use IPSec between the two routers.  Doesn't seem to be worth it though.


Accepted Solution

Joseph_Moore earned 400 total points
ID: 9917876
Ok. I am running 2 publically available web servers with Win2K (and IIS) running on port 80. I set them up correctly at the onset, and since them I have had only 1 problem in 2 years. I will explain that one blemish in due time.

I like the not using anonymous access and "integrated Windows Authentication" only, and the NTFS Security tab changing to allow only that one account access. That will make browsing the site much more difficult. Yet, a person could still do a HTTP HEAD request to determine that it is an IIS server, and that is what brings out the attacks. Ok, my thoughts are these (some of them agree with statemens made in previous answers; I apologize for the redundancy):

Do not put the website in the WWWROOT folder on the server. Put it somewhere else.
Also, do not use the "Default Web Site" in IIS. Make your own web site in the Internet Services Manager snap-in.
Do not enable FrontPage Extensions.
Run URLScan. Get it at: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/urlscan.asp
Make sure URLScan deletes the default virtual directorys that are made by IIS by default (iisadmin, scripts, iishelp, etc)
Also make sure the Printers virtual directory is gone.
Don't install TSWeb on the server!
Antivirus is a yes!
Keep updated on OS patches!!!! Run the Automatic Updates to run daily.
Turn on auditing to see if anyone tries to start hacking away, and check the logs often.
Make sure Web Folders is not enabled on your website.
Disable WebDAV.

Do you have a firewall, or are you putting one in place? For I don't have to tell you (but I will!) that one is essential. Hell, even a software-based firewall like ZoneAlarm is better then nothing at all.

Now, the one problem I had with one of my IIS servers was at the beginning of the year, when the WebDAV vulnerability in IIS was released. I heard about it the day the patch was released, and I went to my main IIS web server and took care of it (disabled WebDAV in the Registry, and patched it a few days later).

I forgot to take care of my other, less-used IIS box! Oops! Sure enough, the anti-virus that runs on it (Symantec NAV) caught a trojan being uploaded to it! The anti-virus quarantined the trojan before it could start, luckily! I received my Symantec alerts, realized what ALMOST happened, and patched that server then and there. It made for an interesting morning! So, that just goes to show you need to stay up on your patches and vulnerabilities and don't forget your servers!

Assisted Solution

PaulHieb earned 200 total points
ID: 9923749
I've used BlackICE PC (http://www.networkice.com/) protection on many of IIS server's as a secondary firewall, it's cheap and does a good job of cleaning URL hacks and buffer overflow attempts and even will auto-block addresses based on these types of repeated attacks.

Something else I've done as a regular practice is configure a web site to only listen on a designated http host header (i.e. http://www.microsoft.com as opposed to http://xxx.xxx.xxx.xxx this prevents hackers from communicating with your webserver using only the IP address after initiating a services scan and seeing port 80 open. It's like a password; you have to know the domain name before the web server will serve you any webpages.

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question