Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Chris Eidem (jceidemdexma.com)
Date: Tue Aug 28 2001 - 08:49:47 CDT
> Public Website and private Intranet running on same server
> behind a FW.
Generally a bad idea. If you don't want to give the public the
possibility of seeing the intranet site, don't put it on a publicly
... snippage ...
> 1) What are the implications of having both the Website
> and Intranet
> residing on the same server? Does the "allow all on ports
> 80/4443" to the
> public website expose the Intranet (on the same server) to any extra
> security risks?
If someone gets to the server, they have access to all the files on it,
so password authentication of any sort is useless at that point. If you
have stuff you don't want the public to see, put it on a private
> 2) Would moving the Intranet to a separate server (still
> accessible to
> the public over port 80/443) and only allowing authenticated
> access to the
> application stop (or somehow hinder) it being vulnerable from any IIS
> i.e. Would the authentication prompt for Intranet access, block any
> unauthorised access to the underlying IIS / Intranet?, as a
> user is prompted
> for sign on before having access to the site.?
Code Red didn't ask for permission to wipe its feet on idq.dll.
Permissions don't help when the OS is insecure. Put your intranet stuff
on the inside.
> Or is it secure to have both the Website and Intranet running
> on the same
> server if certain steps are taken first, as the goal is to
> maximise security
> of the Intranet.
Keep the private things on private networks. Get the hint? Image how
it would look if someone used the next IIS weakness (and it's coming,
they always do...) to get to your business plans, internal phone
numbers, financials, whatever. This is one of the first things you
should think about, don't put your Quicken files on a computer where
there is a real (non-RFC 1918) IP, where there is no firewall or where
there are Outlook access. Lock it up out of sight and out of reach.
Sorry to be redundant, but this is a lesson *few* seem to get the first