Solved

Securing a file server that goes to http

Posted on 2013-05-23
8
329 Views
Last Modified: 2013-06-25
Hello,

I'm a programmer, not a sys admin. My question is about securing web servers.

We have two asp.net applications that display and let download a same group of MS-Word or PDF documents.

We have decided to store those documents not in a database but in filesystem. Also we have decided to put each asp.net in different servers (Windows Server 2003 with IIS6.0). The documents will be stored in a folder of a third server. Please see picture attached. Those three servers will be inside a DMZ.

In that case, those documents should be able to be browsed by http. As they are public, we are not worry about keeping them under secret, but we are worry about a possible server hacking and modifying contents.

What would be a good way to secure that file server of documents?
Would be better to migrate to Windows Server 2008?
SERVERS.png
0
Comment
Question by:miyahira
  • 2
  • 2
  • 2
  • +1
8 Comments
 
LVL 25

Expert Comment

by:Ron Malmstead
ID: 39194872
Possible solutions...

1) Encrypt the files and decrypt them when serving them up on the webserver.

2) Use a "service account" to access the files, from the webserver.. in this scenario I would recommend the file server wouldn't be a member of the domain, and you would use a strong password for both the administrator account and the service account.

3) Create a firewall rule that only allows communication from the webserver to the fileserver and visa versa.  That way the only way to get these files, or the server itself.. is through the web interface you've established.

Ideally you would use all three of these options together.
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 39194928
Agreed. A layered approach is best and have  way to monitor each layer. So the file server can only be accessed by the web server and even then you can do read only if you want.
0
 
LVL 1

Author Comment

by:miyahira
ID: 39195139
Thanks, xuserx2000.

Just a small clarification for option number two:

2) For that "service account", I guess that I have to create an account named "DocReader" in Web Server with privileges to read files in File System Server. Also, in FileSystem Server should exist a DocReader account.

Are those accounts transparent for asp.net? Or should I specifically use that service account in my asp.net application for reading documents?
0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 
LVL 25

Assisted Solution

by:Ron Malmstead
Ron Malmstead earned 167 total points
ID: 39195211
Actually, the account would exist on the File Server, and you would programmatically authenticate to that server when retrieving docs.

Impersonation, which is what I think you are referring to, would work fine if both machines are members of the domain and the asp.net account is using those creds.

You could use a mapped drive as well with the appropriate creds, which would be alot easier.. , but I would avoid that in case the webserver could be comprimised.

http://support.microsoft.com/kb/841699

You can also use simple command line auth from a shell exec..but I don't recommend it.
For example..
NET USE \\ServerName\IPC$ /USER:ServerName\User1 YourReaallyreallystrongP@$$worb
XCOPY \\Servername\C$\PathtoFiles\EncryptedFile.pdf c:\ASPTempDir\EncryptedFile.pdf

then..unencrypt the file and serve it up, and then delete it from the temp dir (ok solution).  Or unencrypt it in memory reading the file in code, and authing the user account in code, and serve the Filebytes (better solution)

Really it depends on how secure vs. complicated you want this.
My main concern would be if the site is SSL encrypted to begin with, since most hacks involve sniffing of traffic between client and server.
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 39195253
You said they are public documents, so I don't see the need for encryption, just share it to the other box with read only permissions.
0
 
LVL 33

Assisted Solution

by:shalomc
shalomc earned 333 total points
ID: 39198833
The file server should be only a file server.
Remove from it all unnecessary services like IIS, and follow general checklists like this one
http://www.esecurityplanet.com/windows-security/top-10-ways-to-secure-a-windows-file-server.html
0
 
LVL 1

Author Comment

by:miyahira
ID: 39217422
>> The file server should be only a file server.

I think that file server should has IIS6.0. If not, would be still possible to access documents from two different web applications A and B?

Web Applications A and B load document from fileserver as:
http://192.168.10.32/Documents/MyDoc.doc
0
 
LVL 33

Accepted Solution

by:
shalomc earned 333 total points
ID: 39218987
>> I think that file server should has IIS6.0. If not, would be still possible to access documents from two different web applications A and B?

Web apps A and B access shared folders on server C, not via HTTP but via CIFS/SMB.

Therefore HTTP and IIS are not required and can be removed.
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Intel Server Board SE7525GP2 Doesn't Recognize Full Hard Drive Capacity 4 122
2003 Server DNS/FS errors 6 65
SharePoint Explorer Folder Access 4 51
Link failure 16 32
Preparing an email is something we should all take special care with – especially when the email is for somebody you may not know very well. The pressures of everyday working life stacked with a hectic office environment can make this a real challen…
Lease-to-own eliminates the expenditure of hardware replacement and allows you to pay off the server over time. Usually, this is much cheaper than leasing servers. Think of lease-to-own as credit without interest.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question