IIS security question

Reply Subscribe

Thread Tools

Search this Thread

21 June 2002, 12:24 PM

Rob Walker

Scooby Regular

Thread Starter

Join Date: Nov 1999

Location: Stockport

Posts: 474

Likes: 0

Received 0 Likes on 0 Posts

Hi,

I'm in the process of setting up an IIS server for work. Do I need to run a firewall and virus checker on the server or should it be ok without as long as all the latest patches/fixes are installed?

Cheers
Rob

Reply Like

21 June 2002, 12:28 PM

ADP

Scooby Regular

Join Date: Apr 2001

Posts: 3,823

Likes: 0

Received 1 Like on 1 Post

Well is it sat behind any other firewalls???

Reply Like

21 June 2002, 12:40 PM

David_Wallis

Scooby Regular

Join Date: Nov 2001

Location: Leeds - It was 562.4bhp@28psi on Optimax, How much closer to 600 with race fuel and a bigger turbo?

Posts: 15,239

Likes: 0

Received 1 Like on 1 Post

needs a virus scanner regardless... dont care what you say...

David

Reply Like

21 June 2002, 01:10 PM

Rob Walker

Scooby Regular

Thread Starter

Join Date: Nov 1999

Location: Stockport

Posts: 474

Likes: 0

Received 0 Likes on 0 Posts

No its not behind any other firewall, its just a bare server connected to the net.

Cheers
Rob

Reply Like

21 June 2002, 01:28 PM

David_Wallis

Scooby Regular

Join Date: Nov 2001

Location: Leeds - It was 562.4bhp@28psi on Optimax, How much closer to 600 with race fuel and a bigger turbo?

Posts: 15,239

Likes: 0

Received 1 Like on 1 Post

Connected to the net as in Internet or internal Lan?

If its just sat on internet I would at a minimum block all ports other than 80 and open up whatever you need...

David

Reply Like

21 June 2002, 01:35 PM

Rob Walker

Scooby Regular

Thread Starter

Join Date: Nov 1999

Location: Stockport

Posts: 474

Likes: 0

Received 0 Likes on 0 Posts

Sorry.. its connected to the internet.

Can you block ports from within IIS or would I have to run a firewall to do that?

Cheers
Rob

Reply Like

21 June 2002, 01:45 PM

David_Wallis

Scooby Regular

Join Date: Nov 2001

Location: Leeds - It was 562.4bhp@28psi on Optimax, How much closer to 600 with race fuel and a bigger turbo?

Posts: 15,239

Likes: 0

Received 1 Like on 1 Post

do it under network properties, tcp/ip, properties, advanced, enable security.... I would still recommend a firewall though!

David

Reply Like

Trending Topics

Tried to Cancel Membership month ago.

3

119
What is it with this forum and abuse?

146

5.2k
Interior lights and central locking dead

2

111

21 June 2002, 01:58 PM

Rob Walker

Scooby Regular

Thread Starter

Join Date: Nov 1999

Location: Stockport

Posts: 474

Likes: 0

Received 0 Likes on 0 Posts

Nice one. Thanks for your help. I'll go and have a look at firewalls now.

Cheers
Rob

Reply Like

21 June 2002, 03:08 PM

ChrisB

Moderator

Join Date: Dec 1998

Location: Staffs

Posts: 23,573

Likes: 0

Received 0 Likes on 0 Posts

You need to strip out some of the installed samples etc.

There's a basic lock down guide on for IIS 5 on microsoft.com/technet

Reply Like

21 June 2002, 03:17 PM

#10

stevem2k

Scooby Regular

Join Date: Sep 2001

Location: Kingston ( Surrey, not Jamaica )

Posts: 4,670

Likes: 0

Received 0 Likes on 0 Posts

Sorry, but the safest thing would be to not install IIS unless you absolutely have to. Can't you use apache ?

And block all ports apart from 80 , and rename the administrator account and run an anti-virus and sit it behind a firewall and all of the other lockdown stuff .

Steve

Reply Like

21 June 2002, 03:53 PM

#11

Rob Walker

Scooby Regular

Thread Starter

Join Date: Nov 1999

Location: Stockport

Posts: 474

Likes: 0

Received 0 Likes on 0 Posts

Have to use IIS unfortunately. Need it for ASP and we're using custom COM components as well...

Reply Like

21 June 2002, 03:58 PM

#12

stevem2k

Scooby Regular

Join Date: Sep 2001

Location: Kingston ( Surrey, not Jamaica )

Posts: 4,670

Likes: 0

Received 0 Likes on 0 Posts

Tie it all down then. Run a firewall in front of it - if you are tight on time or the beancounters are having an off day, then a smoothwall will be enough. Don't use a software firewall on anything like a production machine.

Steve

Reply Like

21 June 2002, 04:24 PM

#13

kryten

Scooby Regular

Join Date: May 2000

Posts: 869

Likes: 0

Received 0 Likes on 0 Posts

1) Patch IIS
2) Get a firewall (you could use a software one, hardware is better)
3) Patch IIS (there will be a new one by now!)

Bascially, you want to disable everything you're not going to be using. If this is your first attempt then I would suggest you leave the machine on the net for a week or so BEFORE you add anything even remotely important to it!

Also, make sure its not connected to the rest of your network - if it is then pay someone who knows what they're going (because you'll need a DMZ for it and its SO easy to get it wrong).

If you're determined to DIY then Securing win2k/NT servers for the Internet by O'Reilly is a must have as is the IIS Lockdown tool from MS (does a lot of the stuff for you).

Reply Like

21 June 2002, 05:11 PM

#14

ChrisB

Moderator

Join Date: Dec 1998

Location: Staffs

Posts: 23,573

Likes: 0

Received 0 Likes on 0 Posts

Baseline Security Scanner from MS is very handy as well.

Reply Like

21 June 2002, 05:20 PM

#15

stevem2k

Scooby Regular

Join Date: Sep 2001

Location: Kingston ( Surrey, not Jamaica )

Posts: 4,670

Likes: 0

Received 0 Likes on 0 Posts

As is the off button.

Reply Like

21 June 2002, 06:44 PM

#16

Rob Walker

Scooby Regular

Thread Starter

Join Date: Nov 1999

Location: Stockport

Posts: 474

Likes: 0

Received 0 Likes on 0 Posts

A hardware firewall is out of the question at the moment. The server is in a remote location at the moment. We'll possibly move it in house in the future depending on how things go.

Anyone got any suggestions for a good (cheap) firewall. Personally I use Sygate at the moment and was thinking of using that. Not too keen on Zonealarm cos I've had a few problems with that in the past.

Cheers for all the help
Rob

Reply Like