Hi,

I'm in the process of setting up an IIS server for work. Do I need to run a firewall and virus checker on the server or should it be ok without as long as all the latest patches/fixes are installed?

Cheers
Rob

 

Well is it sat behind any other firewalls???

 

needs a virus scanner regardless... dont care what you say...

David

 

No its not behind any other firewall, its just a bare server connected to the net.

Cheers
Rob

 

Connected to the net as in Internet or internal Lan?

If its just sat on internet I would at a minimum block all ports other than 80 and open up whatever you need...

David

 

Sorry.. its connected to the internet.

Can you block ports from within IIS or would I have to run a firewall to do that?

Cheers
Rob

 

do it under network properties, tcp/ip, properties, advanced, enable security.... I would still recommend a firewall though!

David

 

Nice one. Thanks for your help. I'll go and have a look at firewalls now.

Cheers
Rob

 

You need to strip out some of the installed samples etc.

There's a basic lock down guide on for IIS 5 on microsoft.com/technet

 

Sorry, but the safest thing would be to not install IIS unless you absolutely have to. Can't you use apache ?

And block all ports apart from 80 , and rename the administrator account and run an anti-virus and sit it behind a firewall and all of the other lockdown stuff .

Steve

 

Have to use IIS unfortunately. Need it for ASP and we're using custom COM components as well...

 

Tie it all down then. Run a firewall in front of it - if you are tight on time or the beancounters are having an off day, then a smoothwall will be enough. Don't use a software firewall on anything like a production machine.

Steve

 

1) Patch IIS
2) Get a firewall (you could use a software one, hardware is better)
3) Patch IIS (there will be a new one by now!)

Bascially, you want to disable everything you're not going to be using. If this is your first attempt then I would suggest you leave the machine on the net for a week or so BEFORE you add anything even remotely important to it!

Also, make sure its not connected to the rest of your network - if it is then pay someone who knows what they're going (because you'll need a DMZ for it and its SO easy to get it wrong).

If you're determined to DIY then Securing win2k/NT servers for the Internet by O'Reilly is a must have as is the IIS Lockdown tool from MS (does a lot of the stuff for you).

 

Baseline Security Scanner from MS is very handy as well.

 

As is the off button.

 

A hardware firewall is out of the question at the moment. The server is in a remote location at the moment. We'll possibly move it in house in the future depending on how things go.

Anyone got any suggestions for a good (cheap) firewall. Personally I use Sygate at the moment and was thinking of using that. Not too keen on Zonealarm cos I've had a few problems with that in the past.

Cheers for all the help
Rob