Solved

Securing a file server that goes to http

Posted on 2013-05-23
8
317 Views
Last Modified: 2013-06-25
Hello,

I'm a programmer, not a sys admin. My question is about securing web servers.

We have two asp.net applications that display and let download a same group of MS-Word or PDF documents.

We have decided to store those documents not in a database but in filesystem. Also we have decided to put each asp.net in different servers (Windows Server 2003 with IIS6.0). The documents will be stored in a folder of a third server. Please see picture attached. Those three servers will be inside a DMZ.

In that case, those documents should be able to be browsed by http. As they are public, we are not worry about keeping them under secret, but we are worry about a possible server hacking and modifying contents.

What would be a good way to secure that file server of documents?
Would be better to migrate to Windows Server 2008?
SERVERS.png
0
Comment
Question by:miyahira
  • 2
  • 2
  • 2
  • +1
8 Comments
 
LVL 25

Expert Comment

by:Ron M
ID: 39194872
Possible solutions...

1) Encrypt the files and decrypt them when serving them up on the webserver.

2) Use a "service account" to access the files, from the webserver.. in this scenario I would recommend the file server wouldn't be a member of the domain, and you would use a strong password for both the administrator account and the service account.

3) Create a firewall rule that only allows communication from the webserver to the fileserver and visa versa.  That way the only way to get these files, or the server itself.. is through the web interface you've established.

Ideally you would use all three of these options together.
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
ID: 39194928
Agreed. A layered approach is best and have  way to monitor each layer. So the file server can only be accessed by the web server and even then you can do read only if you want.
0
 
LVL 1

Author Comment

by:miyahira
ID: 39195139
Thanks, xuserx2000.

Just a small clarification for option number two:

2) For that "service account", I guess that I have to create an account named "DocReader" in Web Server with privileges to read files in File System Server. Also, in FileSystem Server should exist a DocReader account.

Are those accounts transparent for asp.net? Or should I specifically use that service account in my asp.net application for reading documents?
0
 
LVL 25

Assisted Solution

by:Ron M
Ron M earned 167 total points
ID: 39195211
Actually, the account would exist on the File Server, and you would programmatically authenticate to that server when retrieving docs.

Impersonation, which is what I think you are referring to, would work fine if both machines are members of the domain and the asp.net account is using those creds.

You could use a mapped drive as well with the appropriate creds, which would be alot easier.. , but I would avoid that in case the webserver could be comprimised.

http://support.microsoft.com/kb/841699

You can also use simple command line auth from a shell exec..but I don't recommend it.
For example..
NET USE \\ServerName\IPC$ /USER:ServerName\User1 YourReaallyreallystrongP@$$worb
XCOPY \\Servername\C$\PathtoFiles\EncryptedFile.pdf c:\ASPTempDir\EncryptedFile.pdf

then..unencrypt the file and serve it up, and then delete it from the temp dir (ok solution).  Or unencrypt it in memory reading the file in code, and authing the user account in code, and serve the Filebytes (better solution)

Really it depends on how secure vs. complicated you want this.
My main concern would be if the site is SSL encrypted to begin with, since most hacks involve sniffing of traffic between client and server.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 38

Expert Comment

by:Aaron Tomosky
ID: 39195253
You said they are public documents, so I don't see the need for encryption, just share it to the other box with read only permissions.
0
 
LVL 32

Assisted Solution

by:shalomc
shalomc earned 333 total points
ID: 39198833
The file server should be only a file server.
Remove from it all unnecessary services like IIS, and follow general checklists like this one
http://www.esecurityplanet.com/windows-security/top-10-ways-to-secure-a-windows-file-server.html
0
 
LVL 1

Author Comment

by:miyahira
ID: 39217422
>> The file server should be only a file server.

I think that file server should has IIS6.0. If not, would be still possible to access documents from two different web applications A and B?

Web Applications A and B load document from fileserver as:
http://192.168.10.32/Documents/MyDoc.doc
0
 
LVL 32

Accepted Solution

by:
shalomc earned 333 total points
ID: 39218987
>> I think that file server should has IIS6.0. If not, would be still possible to access documents from two different web applications A and B?

Web apps A and B access shared folders on server C, not via HTTP but via CIFS/SMB.

Therefore HTTP and IIS are not required and can be removed.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Article by: kevp75
Hey folks, 'bout time for me to come around with a little tip. Thanks to IIS 7.5 Extensions and Microsoft (well... really Windows 8, and IIS 8 I guess...), we can now prime our Application Pools, when IIS starts. Now, though it would be nice t…
Prologue It is often required to host multiple websites on a single instance of IIS, mostly in development environments instead of on production servers. I am sure it is not much a preferred solution on production servers but this is at least a pos…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now