How to: Configuring secure IIS within VMware

Posted on 2009-04-22
Last Modified: 2012-05-06
I'm beginning the research on a project that will require us to host a web site.  Now this is not hosting our company's web site or anything, it will just receive an https post, and have to respond accordingly.  We have a VMware environment, and run Windows 2003 standard servers, Calong with a Cisco PIX firewall 515e (?).

My initial thought was to create a rule on the PIX to do a port redirect on 80/443 to take any traffic received on the external interface, and redirect it to the VM hosting IIS, and only accept traffic from the external host's IP address.

Do we need to ensure that this web host can only communicate with a single server (our SQL server, where it is pulling data from) on our internal network, to limit exposure?  Or is that an unnecessary step?

I'd appreciate any and all input as to how you would accomplish this project.  Please also include any links to secure IIS that are necessary, any "how to" guides, as well as any "best practices".

Please also ask if I'm missing any information required for you to make a recommendation.  Thank you!
Question by:tscd
    1 Comment
    LVL 3

    Accepted Solution

    If you have a DMZ on this PIX, you should put the web server in the DMZ, then only allow Ports 1433\1434 to the SQL Box on the internal network.   (Assuming this is Microsoft SQL)

    If the machine is on the internal network, should someone find a way into the machine, (through port 80\443) they will have full access to your internal network.   If the box is in the DMZ, they will have access to the other boxes in the DMZ, and the SQL machine, and will have to work harder to get to your internal network.

    In general:   Apply all patches and stay up to date.   Install Anti virus.   DO NOT install IIS or the web directory to the C Drive (OS Drive)

    Apply all patches for VMWARE.  There are exploits that allow someone to access memory on the HOST OS, from the guest machine.

    Sanitize your input to make sure you are not vulnerable to SQL Injection attacks.

    Guide to securing IIS.    Look down the list, for We Checklist IIS version 6   Also, run the IIS lockdown Wizard.

    Also, get the one Windows 2003.   There is an ESX server guide also.

    Featured Post

    Better Security Awareness With Threat Intelligence

    See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

    Join & Write a Comment

    Suggested Solutions

    Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
    Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
    Teach the user how to configure vSphere clusters to support the VMware FT feature Open vSphere Web Client: Verify vSphere HA is enabled: Verify netowrking for vMotion and FT Logging is in place or create it: Turn On FT for a virtual machine: Verify …
    Teach the user how to install and configure the vCenter Orchestrator virtual appliance Open vSphere Web Client: Deploy vCenter Orchestrator virtual appliance OVA file: Verify vCenter Orchestrator virtual appliance boots successfully: Connect to the …

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now