?
Solved

IIS security question

Posted on 2006-06-22
4
Medium Priority
?
188 Views
Last Modified: 2011-09-20
I currenty have my email gateway server running on a windows 2003 server.  I'm using GFI Mail Essentials/Security for my spam/virus/trojan scanner.  This server is also a front end Exchange server.  It provides OWA access to my remote users.  OWA is being accessed via SSL.  This leaves only the SMTP and SSL ports open on the firewall to this server.  I'm wanting to move my intranet website to this server.  It will be only accessible from within the LAN.  I will NOT be opening up port 80 on the firewall.  This this an okay configuration in regards to security, or, should I look at adding another layer of security?
0
Comment
Question by:gopher_49
  • 2
  • 2
4 Comments
 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 16962362
I personally do not see any particular problem with this.

It will not reduce security on the server but it may increase the damage that can be done if someone does manage to penetrate the server.

Dave Dietz
0
 

Author Comment

by:gopher_49
ID: 16969182
What can I do to monitor the security of IIS and to help moderate the damage if the server is compromised.  I guess once it's penetrated it's a done deal...  I know of the IIS lock down tool, and the url scanner, however, what else is there to improve the security of IIS?
0
 
LVL 34

Accepted Solution

by:
Dave_Dietz earned 1000 total points
ID: 16972262
Neither the IIS lockdown tool or URLScan improves the security of IIS 6.0 - their basic functionality is already built into IIS 6.0.

IIS 6.0 installs in a locked down configuration by default.  As long as you only enable the features your site requires you shouldn't really need to do anything else aside from make sure you stay current with security updates.

Beyond that I would suggest checking the logs routinely for suspect behavior, but if you wil only be accessing the Intranet site from within your own network you shouldn't need to worry too much.

As far as moderting the damage - not sure what to say here aside from make sure the machine is *not* a DC or else a penetration will have domain wide effects and be sure to properly permission all content so that if the penetration doesn't involve an admin account the perpetrator can't access everything.

Dave Dietz
0
 

Author Comment

by:gopher_49
ID: 16972717
thanks.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Screencast - Getting to Know the Pipeline

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question