Solved

Putting a website on the office network

Posted on 2003-12-09
4
308 Views
Last Modified: 2013-12-04
My company has a MAIN office and an EXTERNAL office in different cities.
We wish to maintain a simple “list of product codes” that is shared between both offices and is updateable from either office.
Each office has at most 2 computers and 2 staff. We dont have the budget to purchase a leased line between the 2 offices so we are trying to exploit "broadband internet" which has just entered the market in our country.
There is little or no high risk or confidential information in either office including the “list of product codes”.

My plan is to build a simple web-based application, place a webserver (a Misrosoft IIS webserver) in the MAIN office with a broadband internet connection (with which we get a fixed IP address).

When the EXERNAL office wishes to view/update the client details they just log on to http://xxx.yyy.zzz.aaa.

Even though there is no sensitive information on the webserver or the other computers I am concerned about viruses being placed on the webserver or any other connected computer.

As one security measure I will make "Anonymous Access" on the website unavailable; and using the “integrated windows authentication” option, make the data only visible to one ACL.

My questions are:
1. Give that there are no huge security concerns do I still need to have a DMZ ?
2. Would making the website available on a port number other than 80 make the system more secure ?
3. Any other issues I have forgotten about, as I have never done this before?

Thanks in advance
E.R.
0
Comment
Question by:eamonroche
4 Comments
 
LVL 6

Assisted Solution

by:Sebo2000
Sebo2000 earned 50 total points
Comment Utility
Great plan, I'm just wondering what kind of data you will have on your web.

If you have properly confirure IIS with all the patches and fixes you don't need DMZ, if you set up the site on highier port eg 33333 it will be more secure, not many ppl is scanning all the ports plus default port is always atacked by trojans etc.

Make sure you set up all the ACL properly.
In you case if you have a text data maybe you can try already build applications to give user access to the data.
http://www.eshop-server.com/ install it and run the test , you will be able to give user access to documents based on their login it's preaty secure and has a lot of options, and administration panle is preaty good, you will need SQL to install it.
I adopted that for very similar project like yours.
Take Care
Sebo
0
 
LVL 13

Assisted Solution

by:Gnart
Gnart earned 50 total points
Comment Utility
At most just 2 computers:

1)  Put anti-virus.
2)  Put host based firewall - turn off any ports that you don't need - Netbios....
3)  Your broadband routers come with DMZ -  you can use it if you want - it provides
a little more security to the other PC on the local net.
4)  Change the ports if your website is access only internally.  It provides a little more security.

Wants more security - use IPSec between the two routers.  Doesn't seem to be worth it though.

cheers
0
 
LVL 6

Accepted Solution

by:
Joseph_Moore earned 100 total points
Comment Utility
Ok. I am running 2 publically available web servers with Win2K (and IIS) running on port 80. I set them up correctly at the onset, and since them I have had only 1 problem in 2 years. I will explain that one blemish in due time.

I like the not using anonymous access and "integrated Windows Authentication" only, and the NTFS Security tab changing to allow only that one account access. That will make browsing the site much more difficult. Yet, a person could still do a HTTP HEAD request to determine that it is an IIS server, and that is what brings out the attacks. Ok, my thoughts are these (some of them agree with statemens made in previous answers; I apologize for the redundancy):

Do not put the website in the WWWROOT folder on the server. Put it somewhere else.
Also, do not use the "Default Web Site" in IIS. Make your own web site in the Internet Services Manager snap-in.
Do not enable FrontPage Extensions.
Run URLScan. Get it at: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/urlscan.asp
Make sure URLScan deletes the default virtual directorys that are made by IIS by default (iisadmin, scripts, iishelp, etc)
Also make sure the Printers virtual directory is gone.
Don't install TSWeb on the server!
Antivirus is a yes!
Keep updated on OS patches!!!! Run the Automatic Updates to run daily.
Turn on auditing to see if anyone tries to start hacking away, and check the logs often.
Make sure Web Folders is not enabled on your website.
Disable WebDAV.

Do you have a firewall, or are you putting one in place? For I don't have to tell you (but I will!) that one is essential. Hell, even a software-based firewall like ZoneAlarm is better then nothing at all.

Now, the one problem I had with one of my IIS servers was at the beginning of the year, when the WebDAV vulnerability in IIS was released. I heard about it the day the patch was released, and I went to my main IIS web server and took care of it (disabled WebDAV in the Registry, and patched it a few days later).

I forgot to take care of my other, less-used IIS box! Oops! Sure enough, the anti-virus that runs on it (Symantec NAV) caught a trojan being uploaded to it! The anti-virus quarantined the trojan before it could start, luckily! I received my Symantec alerts, realized what ALMOST happened, and patched that server then and there. It made for an interesting morning! So, that just goes to show you need to stay up on your patches and vulnerabilities and don't forget your servers!
0
 
LVL 2

Assisted Solution

by:PaulHieb
PaulHieb earned 50 total points
Comment Utility
I've used BlackICE PC (http://www.networkice.com/) protection on many of IIS server's as a secondary firewall, it's cheap and does a good job of cleaning URL hacks and buffer overflow attempts and even will auto-block addresses based on these types of repeated attacks.

Something else I've done as a regular practice is configure a web site to only listen on a designated http host header (i.e. http://www.microsoft.com as opposed to http://xxx.xxx.xxx.xxx this prevents hackers from communicating with your webserver using only the IP address after initiating a services scan and seeing port 80 open. It's like a password; you have to know the domain name before the web server will serve you any webpages.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now