Solved

Securing a file server that goes to http

Posted on 2013-05-23
8
332 Views
Last Modified: 2013-06-25
Hello,

I'm a programmer, not a sys admin. My question is about securing web servers.

We have two asp.net applications that display and let download a same group of MS-Word or PDF documents.

We have decided to store those documents not in a database but in filesystem. Also we have decided to put each asp.net in different servers (Windows Server 2003 with IIS6.0). The documents will be stored in a folder of a third server. Please see picture attached. Those three servers will be inside a DMZ.

In that case, those documents should be able to be browsed by http. As they are public, we are not worry about keeping them under secret, but we are worry about a possible server hacking and modifying contents.

What would be a good way to secure that file server of documents?
Would be better to migrate to Windows Server 2008?
SERVERS.png
0
Comment
Question by:miyahira
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +1
8 Comments
 
LVL 25

Expert Comment

by:Ron Malmstead
ID: 39194872
Possible solutions...

1) Encrypt the files and decrypt them when serving them up on the webserver.

2) Use a "service account" to access the files, from the webserver.. in this scenario I would recommend the file server wouldn't be a member of the domain, and you would use a strong password for both the administrator account and the service account.

3) Create a firewall rule that only allows communication from the webserver to the fileserver and visa versa.  That way the only way to get these files, or the server itself.. is through the web interface you've established.

Ideally you would use all three of these options together.
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 39194928
Agreed. A layered approach is best and have  way to monitor each layer. So the file server can only be accessed by the web server and even then you can do read only if you want.
0
 
LVL 1

Author Comment

by:miyahira
ID: 39195139
Thanks, xuserx2000.

Just a small clarification for option number two:

2) For that "service account", I guess that I have to create an account named "DocReader" in Web Server with privileges to read files in File System Server. Also, in FileSystem Server should exist a DocReader account.

Are those accounts transparent for asp.net? Or should I specifically use that service account in my asp.net application for reading documents?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 25

Assisted Solution

by:Ron Malmstead
Ron Malmstead earned 167 total points
ID: 39195211
Actually, the account would exist on the File Server, and you would programmatically authenticate to that server when retrieving docs.

Impersonation, which is what I think you are referring to, would work fine if both machines are members of the domain and the asp.net account is using those creds.

You could use a mapped drive as well with the appropriate creds, which would be alot easier.. , but I would avoid that in case the webserver could be comprimised.

http://support.microsoft.com/kb/841699

You can also use simple command line auth from a shell exec..but I don't recommend it.
For example..
NET USE \\ServerName\IPC$ /USER:ServerName\User1 YourReaallyreallystrongP@$$worb
XCOPY \\Servername\C$\PathtoFiles\EncryptedFile.pdf c:\ASPTempDir\EncryptedFile.pdf

then..unencrypt the file and serve it up, and then delete it from the temp dir (ok solution).  Or unencrypt it in memory reading the file in code, and authing the user account in code, and serve the Filebytes (better solution)

Really it depends on how secure vs. complicated you want this.
My main concern would be if the site is SSL encrypted to begin with, since most hacks involve sniffing of traffic between client and server.
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 39195253
You said they are public documents, so I don't see the need for encryption, just share it to the other box with read only permissions.
0
 
LVL 33

Assisted Solution

by:shalomc
shalomc earned 333 total points
ID: 39198833
The file server should be only a file server.
Remove from it all unnecessary services like IIS, and follow general checklists like this one
http://www.esecurityplanet.com/windows-security/top-10-ways-to-secure-a-windows-file-server.html
0
 
LVL 1

Author Comment

by:miyahira
ID: 39217422
>> The file server should be only a file server.

I think that file server should has IIS6.0. If not, would be still possible to access documents from two different web applications A and B?

Web Applications A and B load document from fileserver as:
http://192.168.10.32/Documents/MyDoc.doc
0
 
LVL 33

Accepted Solution

by:
shalomc earned 333 total points
ID: 39218987
>> I think that file server should has IIS6.0. If not, would be still possible to access documents from two different web applications A and B?

Web apps A and B access shared folders on server C, not via HTTP but via CIFS/SMB.

Therefore HTTP and IIS are not required and can be removed.
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
A phishing scam that claims a recipient’s credit card details have been “suspended” is the latest trend in spoof emails.
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question