Hmm...what makes my exchange2k3 server anymore secure than my web port 80 server?

Posted on 2006-05-19
Last Modified: 2010-05-18
I hope this is not a dumb question but here goes.  There are no internal users on our network.  Everyone works in the field in different locations around the country.  

GIVEN that, the web server is behind a firewall in a DMZ and allows port 80 thru to itself.  The exchange server is behind a second firewall and allows 443 thru to itself and SMTP 25 both ways.  Both are ports(just open holes in a firewall), both are accessible.  So why does it make the back office network any more secure but putting a web server in a DMZ and not making it part of the internal network?
Question by:Sp0cky
    LVL 1

    Assisted Solution

    Hey Sp0cky,

    Imagine a wall between your "protected"(internal) network and your "less protected"(DMZ) network. Now lets say your web server is comprimised in your DMZ. The theory is that the "Wall" will make it more difficult for the rest of your network to also be comprimised.

    It should seem pretty obvious why the webserver and the mail exchanger are are seen as more of a danger than a normal workstation, and need to be "walled" off. These are setup for outside access which, nowadays, seem to beg for some poking and proding by the curious and the malicious.

    Your title asks what makes your exchange server more secure than your web server in this situation. Not much. But the rest of your lan is better off by having these walled off.  

    Author Comment

    Thanks hangeles.  Anyone else?
    LVL 32

    Accepted Solution

    The term in favor these days is "attack surface".  Think of that is the total "surface" of all available services on your server that might be attacked.  Some have known vulnerabilities that can and should be patched.  Others have unknown vulnerabilities that will come to light at some point in the future.  You're most worried about the UNKNOWN vulnerabilities since there is no fix for them.

    By blocking everything but what you need, in this case, 25, 80, 443, you greatly reduce your exposure to any other vulnerability that might show up.  Yes, these ports and their services are still vulnerable but that's it.

    By using a firewall that is configured to "block everything but the few services you permit" you reduce your "attack surface" and reduce your vulnerability to successful attack.

    BTW, in addition to the hardware firewall, I think it's also prudent to employ the excellent software firewall on Windows 2003 Server.  Set it up to only permit the services in that you want as well.  Then you have two lines of defense.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
    Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
    Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    6 Experts available now in Live!

    Get 1:1 Help Now