Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Arne-Erik Martin (secfocusaem-ws.de)
Date: Wed Aug 29 2001 - 06:03:46 CDT
Am Dienstag, 28. August 2001 15:32 schrieb Tulchinskiy, Sasha:
> I don't think that splitting your system for two boxes may significantly
> improve your security. What you may want to do:
Sorry Sasha, but i don't agree with your opinion! If there is a sec. hole in
the public webserver that allow you to access to the file system, it will be
easy to get access to the private webserver too. if the private webserver is
on an other box, it's much difficulties to get access through the public
webservers sec. hole(s). I think it _is_ allways a bad idea to run both on
one box. Another point is, if there is a hardware failure, both servers are
down. That's not good ;-)
> 1. If your intranet site is "intranet" (supposed to be accessed by internal
> computers only), set up IP restrictions for IIS to accept only requests
> from internal computers (it's easy)
> 2. If your intranet site is "Extranet" (supposed to be accessed by your
> personnel from inside AND outside), make sure that none of them has
> administrative privileges on the box and better set up HTTPS access to the
> site (there is a risk of your administrator password to be sniffed one
> day). 3. Make sure that none of content folders is located on the system
> drive and follow other best practices to maintain IIS (by now you have
> probably seen a lot of links on this topic).
> We have experience of hosting both public and restricted sites on the same
> box - it will work.
> -----Original Message-----
> From: Jonathon.Kalaughersbg-ap.com
> Sent: Monday, August 27, 2001 4:45 PM
> To: focus-mssecurityfocus.com
> Subject: Options for securing a Public Webserver and Private Intranet on
> s ame server.
> Hello List,
> Public Website and private Intranet running on same server behind a FW.
> The Intranet is accessed via IIS/windows authentication with a "full public
> access over port 80" rule on the Firewall to the server in question.
> The users access the public website and enter authentication apon hitting
> the corporate logon area/box to access the Intranet.
> We considering the following steps...
> 1) Separate both onto separate servers and DMZ's
> 2) Still Allow full public access to both servers over ports 80/443.
> 1) What are the implications of having both the Website and Intranet
> residing on the same server? Does the "allow all on ports 80/4443" to the
> public website expose the Intranet (on the same server) to any extra
> security risks?
> 2) Would moving the Intranet to a separate server (still accessible to
> the public over port 80/443) and only allowing authenticated access to the
> application stop (or somehow hinder) it being vulnerable from any IIS
> i.e. Would the authentication prompt for Intranet access, block any
> unauthorised access to the underlying IIS / Intranet?, as a user is
> prompted for sign on before having access to the site.?
> Or is it secure to have both the Website and Intranet running on the same
> server if certain steps are taken first, as the goal is to maximise
> security of the Intranet.
> Thanking you all heaps in advance for any feedback at all.