Putting a website on the office network

My company has a MAIN office and an EXTERNAL office in different cities.
We wish to maintain a simple “list of product codes” that is shared between both offices and is updateable from either office.
Each office has at most 2 computers and 2 staff. We dont have the budget to purchase a leased line between the 2 offices so we are trying to exploit "broadband internet" which has just entered the market in our country.
There is little or no high risk or confidential information in either office including the “list of product codes”.

My plan is to build a simple web-based application, place a webserver (a Misrosoft IIS webserver) in the MAIN office with a broadband internet connection (with which we get a fixed IP address).

When the EXERNAL office wishes to view/update the client details they just log on to http://xxx.yyy.zzz.aaa.

Even though there is no sensitive information on the webserver or the other computers I am concerned about viruses being placed on the webserver or any other connected computer.

As one security measure I will make "Anonymous Access" on the website unavailable; and using the “integrated windows authentication” option, make the data only visible to one ACL.

My questions are:
1. Give that there are no huge security concerns do I still need to have a DMZ ?
2. Would making the website available on a port number other than 80 make the system more secure ?
3. Any other issues I have forgotten about, as I have never done this before?

Thanks in advance
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Great plan, I'm just wondering what kind of data you will have on your web.

If you have properly confirure IIS with all the patches and fixes you don't need DMZ, if you set up the site on highier port eg 33333 it will be more secure, not many ppl is scanning all the ports plus default port is always atacked by trojans etc.

Make sure you set up all the ACL properly.
In you case if you have a text data maybe you can try already build applications to give user access to the data.
http://www.eshop-server.com/ install it and run the test , you will be able to give user access to documents based on their login it's preaty secure and has a lot of options, and administration panle is preaty good, you will need SQL to install it.
I adopted that for very similar project like yours.
Take Care
At most just 2 computers:

1)  Put anti-virus.
2)  Put host based firewall - turn off any ports that you don't need - Netbios....
3)  Your broadband routers come with DMZ -  you can use it if you want - it provides
a little more security to the other PC on the local net.
4)  Change the ports if your website is access only internally.  It provides a little more security.

Wants more security - use IPSec between the two routers.  Doesn't seem to be worth it though.

Ok. I am running 2 publically available web servers with Win2K (and IIS) running on port 80. I set them up correctly at the onset, and since them I have had only 1 problem in 2 years. I will explain that one blemish in due time.

I like the not using anonymous access and "integrated Windows Authentication" only, and the NTFS Security tab changing to allow only that one account access. That will make browsing the site much more difficult. Yet, a person could still do a HTTP HEAD request to determine that it is an IIS server, and that is what brings out the attacks. Ok, my thoughts are these (some of them agree with statemens made in previous answers; I apologize for the redundancy):

Do not put the website in the WWWROOT folder on the server. Put it somewhere else.
Also, do not use the "Default Web Site" in IIS. Make your own web site in the Internet Services Manager snap-in.
Do not enable FrontPage Extensions.
Run URLScan. Get it at: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/urlscan.asp
Make sure URLScan deletes the default virtual directorys that are made by IIS by default (iisadmin, scripts, iishelp, etc)
Also make sure the Printers virtual directory is gone.
Don't install TSWeb on the server!
Antivirus is a yes!
Keep updated on OS patches!!!! Run the Automatic Updates to run daily.
Turn on auditing to see if anyone tries to start hacking away, and check the logs often.
Make sure Web Folders is not enabled on your website.
Disable WebDAV.

Do you have a firewall, or are you putting one in place? For I don't have to tell you (but I will!) that one is essential. Hell, even a software-based firewall like ZoneAlarm is better then nothing at all.

Now, the one problem I had with one of my IIS servers was at the beginning of the year, when the WebDAV vulnerability in IIS was released. I heard about it the day the patch was released, and I went to my main IIS web server and took care of it (disabled WebDAV in the Registry, and patched it a few days later).

I forgot to take care of my other, less-used IIS box! Oops! Sure enough, the anti-virus that runs on it (Symantec NAV) caught a trojan being uploaded to it! The anti-virus quarantined the trojan before it could start, luckily! I received my Symantec alerts, realized what ALMOST happened, and patched that server then and there. It made for an interesting morning! So, that just goes to show you need to stay up on your patches and vulnerabilities and don't forget your servers!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
I've used BlackICE PC (http://www.networkice.com/) protection on many of IIS server's as a secondary firewall, it's cheap and does a good job of cleaning URL hacks and buffer overflow attempts and even will auto-block addresses based on these types of repeated attacks.

Something else I've done as a regular practice is configure a web site to only listen on a designated http host header (i.e. http://www.microsoft.com as opposed to http://xxx.xxx.xxx.xxx this prevents hackers from communicating with your webserver using only the IP address after initiating a services scan and seeing port 80 open. It's like a password; you have to know the domain name before the web server will serve you any webpages.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.