• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 513
  • Last Modified:

How to: Configuring secure IIS within VMware

I'm beginning the research on a project that will require us to host a web site.  Now this is not hosting our company's web site or anything, it will just receive an https post, and have to respond accordingly.  We have a VMware environment, and run Windows 2003 standard servers, Calong with a Cisco PIX firewall 515e (?).

My initial thought was to create a rule on the PIX to do a port redirect on 80/443 to take any traffic received on the external interface, and redirect it to the VM hosting IIS, and only accept traffic from the external host's IP address.

Do we need to ensure that this web host can only communicate with a single server (our SQL server, where it is pulling data from) on our internal network, to limit exposure?  Or is that an unnecessary step?

I'd appreciate any and all input as to how you would accomplish this project.  Please also include any links to secure IIS that are necessary, any "how to" guides, as well as any "best practices".

Please also ask if I'm missing any information required for you to make a recommendation.  Thank you!
0
tscd
Asked:
tscd
1 Solution
 
scwoaCommented:
If you have a DMZ on this PIX, you should put the web server in the DMZ, then only allow Ports 1433\1434 to the SQL Box on the internal network.   (Assuming this is Microsoft SQL)

If the machine is on the internal network, should someone find a way into the machine, (through port 80\443) they will have full access to your internal network.   If the box is in the DMZ, they will have access to the other boxes in the DMZ, and the SQL machine, and will have to work harder to get to your internal network.

In general:   Apply all patches and stay up to date.   Install Anti virus.   DO NOT install IIS or the web directory to the C Drive (OS Drive)

Apply all patches for VMWARE.  There are exploits that allow someone to access memory on the HOST OS, from the guest machine.

Sanitize your input to make sure you are not vulnerable to SQL Injection attacks.

Guide to securing IIS.    Look down the list, for We Checklist IIS version 6   Also, run the IIS lockdown Wizard.  

http://iase.disa.mil/stigs/checklist/index.html

Also, get the one Windows 2003.   There is an ESX server guide also.
0

Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now