Regarding the following statement, how do I find more information about the risks
of using IIS?:
"Certainly following Attrition's defacement list recently, IIS
seems to be the current victim-of-choice."
"Paul D. Robertson" wrote:
> On Tue, 23 May 2000, Andrew Lawrence wrote:
>
> > We are currently investigating locating our web server with an ISP. The
> > server is Windows NT 4.0 with Sql server and IIS 4.0. We have 2 options; one
> > is to use a managed server provided by the ISP and the second is to buy some
> > rack space to put whatever we like in. The difference in cost is
> > considerable. As we are feeling our way in this arena the cheaper option
> > looks favourable although it means we won't have a firewall protecting the
> > web server. Has anyone any views on this scenario ?. One firewall vendor has
> > already told me that having a firewall would not protect the web server as
> > you want people to visit it !
>
> This is mostly true. The majority of Web server attacks come via HTTP,
> not other protocols, and you need to allow HTTP for your server to
> function as a Web server. I _believe_ the current "most popular attack"
> is the RDS attack against IIS, which is fixable. I'd expect most service
> providers to spend a good deal of time upgrading servers (and that's one
> of the due dilligence questions you'll want to ask a potential hosting
> provider.) Certainly following Attrition's defacement list recently, IIS
> seems to be the current victim-of-choice.
>
> > What we don't want to happen is hackers to compromise the data on the Sql
> > server. How secure will it be ? Does anyone have any information regarding
>
> "How secure will it be" is a specious question. It assumes a significant
> number of variables are easily quantifyable. Once again, it really is a
> bunch of due dilligence questions that need to be seriously examined.
> Database servers are notorious for security flaws, holes,
> misconfiguration, etc. providing administrative conduits without exposing
> the server to significant risk is difficult. Managing upgrades, testing
> problems and providing good audit points are all non-trivial exercises in
> a typical colo facility. Last minute equipment changes can even be a
> complete nightmare in some facilities. If you haven't colo'd before,
> you're most probably better off going with a managed service offering.
> Especially if you're only doing a small site and the facility is large.
>
> > setting up IIS and Sql server securely. Can you for instance tell SQL only
> > to accept request from IIS and if you can do this how secure is the IIS side
> > of things ?
>
> If the data is sensitive, and you're fielding something critical to the
> business, you're probably best off finding some consulting help. You'll
> want to look pretty hard at their past work and paranoia level though.
> Trying to do remote access to colo'd Windows boxes well tends to be
> something that makes most security people very squeemish and most NT
> admins way too trusting.
>
> > We don't have the option of using another operating system.
>
> Companies that think like this scare me.
>
> Paul
> -----------------------------------------------------------------------------
> Paul D. Robertson "My statements in this message are personal opinions
> [EMAIL PROTECTED] which may have no basis whatsoever in fact."
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
