OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Chris Eidem (jceidemdexma.com)
Date: Tue Aug 28 2001 - 08:49:47 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Jonathon:

    > Public Website and private Intranet running on same server
    > behind a FW.

    Generally a bad idea. If you don't want to give the public the
    possibility of seeing the intranet site, don't put it on a publicly
    accessable website.

    >

    ... snippage ...

    > Question.
    >
    > 1) What are the implications of having both the Website
    > and Intranet
    > residing on the same server? Does the "allow all on ports
    > 80/4443" to the
    > public website expose the Intranet (on the same server) to any extra
    > security risks?
    >

    If someone gets to the server, they have access to all the files on it,
    so password authentication of any sort is useless at that point. If you
    have stuff you don't want the public to see, put it on a private
    network.

    > 2) Would moving the Intranet to a separate server (still
    > accessible to
    > the public over port 80/443) and only allowing authenticated
    > access to the
    > application stop (or somehow hinder) it being vulnerable from any IIS
    > exploits?.
    >
    > i.e. Would the authentication prompt for Intranet access, block any
    > unauthorised access to the underlying IIS / Intranet?, as a
    > user is prompted
    > for sign on before having access to the site.?
    >

    Code Red didn't ask for permission to wipe its feet on idq.dll.
    Permissions don't help when the OS is insecure. Put your intranet stuff
    on the inside.

    > Or is it secure to have both the Website and Intranet running
    > on the same
    > server if certain steps are taken first, as the goal is to
    > maximise security
    > of the Intranet.
    >

    Keep the private things on private networks. Get the hint? Image how
    it would look if someone used the next IIS weakness (and it's coming,
    they always do...) to get to your business plans, internal phone
    numbers, financials, whatever. This is one of the first things you
    should think about, don't put your Quicken files on a computer where
    there is a real (non-RFC 1918) IP, where there is no firewall or where
    there are Outlook access. Lock it up out of sight and out of reach.

    Sorry to be redundant, but this is a lesson *few* seem to get the first
    time...

    Chris