Recommendations for securing IIS 6.0 as a public web server

I am planning on posting our public website on IIS running under Windows
Server 2003 R2. Can anyone point me at any good sites or white papers for
the best practices for securing the site for public access? I am planning
on making the server a member of our corporate domain for access to it from
internal, and only allowing monitored forwarded port 80 access from the
public Internet to the site through our firewall.

The website is only going to contain static pages and nothing confidential,
so SSL won't be necessary.

All recommendations are welcome. Thanks!

Re: Recommendations for securing IIS 6.0 as a public web server

While what you outline is not uncommon, I would like to ask . . .

You said
> I am planning on making the server a member of our corporate domain for
> access to it from internal,

What does that mean?

You characterized content and lack of SSL need. This implies
access, even "from internal" could just as well be unauthenticated.
So, what does this mean?

I often see admins make decisions that from one viewpoint are
avoidable exposures of the corp net/assets because from another
viewpoint the result would have operational/managerial simplicity
(at least on first examination)

I am just checking whether your focus is guarding/hardening the
IIS system or guarding/hardening the corp domain.

--
Roger Abell
Microsoft MVP (Windows Server : Security)

"Rob Gordon" wrote in message
news:eUMlg6vzGHA.4392@TK2MSFTNGP04.phx.gbl...
>I am planning on posting our public website on IIS running under Windows
>Server 2003 R2. Can anyone point me at any good sites or white papers for
>the best practices for securing the site for public access? I am planning
>on making the server a member of our corporate domain for access to it from
>internal, and only allowing monitored forwarded port 80 access from the
>public Internet to the site through our firewall.
>
> The website is only going to contain static pages and nothing
> confidential, so SSL won't be necessary.
>
> All recommendations are welcome. Thanks!
>

Re: Recommendations for securing IIS 6.0 as a public web server

While what you outline is not uncommon, I would like to ask . . .

You said
> I am planning on making the server a member of our corporate domain for
> access to it from internal,

What does that mean?

You characterized content and lack of SSL need. This implies
access, even "from internal" could just as well be unauthenticated.
So, what does this mean?

I often see admins make decisions that from one viewpoint are
avoidable exposures of the corp net/assets because from another
viewpoint the result would have operational/managerial simplicity
(at least on first examination)

I am just checking whether your focus is guarding/hardening the
IIS system or guarding/hardening the corp domain.

--
Roger Abell
Microsoft MVP (Windows Server : Security)

"Rob Gordon" wrote in message
news:eUMlg6vzGHA.4392@TK2MSFTNGP04.phx.gbl...
>I am planning on posting our public website on IIS running under Windows
>Server 2003 R2. Can anyone point me at any good sites or white papers for
>the best practices for securing the site for public access? I am planning
>on making the server a member of our corporate domain for access to it from
>internal, and only allowing monitored forwarded port 80 access from the
>public Internet to the site through our firewall.
>
> The website is only going to contain static pages and nothing
> confidential, so SSL won't be necessary.
>
> All recommendations are welcome. Thanks!
>

Re: Recommendations for securing IIS 6.0 as a public web server

I was planning on making the server a member of our internal Windows
corporate AD domain. Unless the more security minded approach is to make
the server a stand alone, so that if it becomes compromised no further
actions can be taken against the internal Windows AD domain.

I would be interested in hardening both IIS, and doing the most security
minded method for keeping the internal domain safe as well.

Regards,

Rob Gordon


"Roger Abell [MVP]" wrote in message
news:OMJzEuwzGHA.4796@TK2MSFTNGP06.phx.gbl...
> While what you outline is not uncommon, I would like to ask . . .
>
> You said
>> I am planning on making the server a member of our corporate domain for
>> access to it from internal,
>
> What does that mean?
>
> You characterized content and lack of SSL need. This implies
> access, even "from internal" could just as well be unauthenticated.
> So, what does this mean?
>
> I often see admins make decisions that from one viewpoint are
> avoidable exposures of the corp net/assets because from another
> viewpoint the result would have operational/managerial simplicity
> (at least on first examination)
>
> I am just checking whether your focus is guarding/hardening the
> IIS system or guarding/hardening the corp domain.
>
> --
> Roger Abell
> Microsoft MVP (Windows Server : Security)
>
> "Rob Gordon" wrote in message
> news:eUMlg6vzGHA.4392@TK2MSFTNGP04.phx.gbl...
>>I am planning on posting our public website on IIS running under Windows
>>Server 2003 R2. Can anyone point me at any good sites or white papers
>>for the best practices for securing the site for public access? I am
>>planning on making the server a member of our corporate domain for access
>>to it from internal, and only allowing monitored forwarded port 80 access
>>from the public Internet to the site through our firewall.
>>
>> The website is only going to contain static pages and nothing
>> confidential, so SSL won't be necessary.
>>
>> All recommendations are welcome. Thanks!
>>
>
>

Re: Recommendations for securing IIS 6.0 as a public web server

I was planning on making the server a member of our internal Windows
corporate AD domain. Unless the more security minded approach is to make
the server a stand alone, so that if it becomes compromised no further
actions can be taken against the internal Windows AD domain.

I would be interested in hardening both IIS, and doing the most security
minded method for keeping the internal domain safe as well.

Regards,

Rob Gordon


"Roger Abell [MVP]" wrote in message
news:OMJzEuwzGHA.4796@TK2MSFTNGP06.phx.gbl...
> While what you outline is not uncommon, I would like to ask . . .
>
> You said
>> I am planning on making the server a member of our corporate domain for
>> access to it from internal,
>
> What does that mean?
>
> You characterized content and lack of SSL need. This implies
> access, even "from internal" could just as well be unauthenticated.
> So, what does this mean?
>
> I often see admins make decisions that from one viewpoint are
> avoidable exposures of the corp net/assets because from another
> viewpoint the result would have operational/managerial simplicity
> (at least on first examination)
>
> I am just checking whether your focus is guarding/hardening the
> IIS system or guarding/hardening the corp domain.
>
> --
> Roger Abell
> Microsoft MVP (Windows Server : Security)
>
> "Rob Gordon" wrote in message
> news:eUMlg6vzGHA.4392@TK2MSFTNGP04.phx.gbl...
>>I am planning on posting our public website on IIS running under Windows
>>Server 2003 R2. Can anyone point me at any good sites or white papers
>>for the best practices for securing the site for public access? I am
>>planning on making the server a member of our corporate domain for access
>>to it from internal, and only allowing monitored forwarded port 80 access
>>from the public Internet to the site through our firewall.
>>
>> The website is only going to contain static pages and nothing
>> confidential, so SSL won't be necessary.
>>
>> All recommendations are welcome. Thanks!
>>
>
>

Re: Recommendations for securing IIS 6.0 as a public web server

"Rob Gordon" wrote in message
news:%23DwzO6xzGHA.4648@TK2MSFTNGP04.phx.gbl...
>I was planning on making the server a member of our internal Windows
>corporate AD domain.

why?

> Unless the more security minded approach is to make the server a stand
> alone, so that if it becomes compromised no further actions can be taken
> against the internal Windows AD domain.
>

that is ipso facto more defensive.
but is there a need to do otherwise? i.e. Why?

> I would be interested in hardening both IIS, and doing the most security
> minded method for keeping the internal domain safe as well.
>
> Regards,
>
> Rob Gordon
>
>
> "Roger Abell [MVP]" wrote in message
> news:OMJzEuwzGHA.4796@TK2MSFTNGP06.phx.gbl...
>> While what you outline is not uncommon, I would like to ask . . .
>>
>> You said
>>> I am planning on making the server a member of our corporate domain for
>>> access to it from internal,
>>
>> What does that mean?
>>
>> You characterized content and lack of SSL need. This implies
>> access, even "from internal" could just as well be unauthenticated.
>> So, what does this mean?
>>
>> I often see admins make decisions that from one viewpoint are
>> avoidable exposures of the corp net/assets because from another
>> viewpoint the result would have operational/managerial simplicity
>> (at least on first examination)
>>
>> I am just checking whether your focus is guarding/hardening the
>> IIS system or guarding/hardening the corp domain.
>>
>> --
>> Roger Abell
>> Microsoft MVP (Windows Server : Security)
>>
>> "Rob Gordon" wrote in message
>> news:eUMlg6vzGHA.4392@TK2MSFTNGP04.phx.gbl...
>>>I am planning on posting our public website on IIS running under Windows
>>>Server 2003 R2. Can anyone point me at any good sites or white papers
>>>for the best practices for securing the site for public access? I am
>>>planning on making the server a member of our corporate domain for access
>>>to it from internal, and only allowing monitored forwarded port 80 access
>>>from the public Internet to the site through our firewall.
>>>
>>> The website is only going to contain static pages and nothing
>>> confidential, so SSL won't be necessary.
>>>
>>> All recommendations are welcome. Thanks!
>>>
>>
>>
>
>

Re: Recommendations for securing IIS 6.0 as a public web server

"Rob Gordon" wrote in message
news:%23DwzO6xzGHA.4648@TK2MSFTNGP04.phx.gbl...
>I was planning on making the server a member of our internal Windows
>corporate AD domain.

why?

> Unless the more security minded approach is to make the server a stand
> alone, so that if it becomes compromised no further actions can be taken
> against the internal Windows AD domain.
>

that is ipso facto more defensive.
but is there a need to do otherwise? i.e. Why?

> I would be interested in hardening both IIS, and doing the most security
> minded method for keeping the internal domain safe as well.
>
> Regards,
>
> Rob Gordon
>
>
> "Roger Abell [MVP]" wrote in message
> news:OMJzEuwzGHA.4796@TK2MSFTNGP06.phx.gbl...
>> While what you outline is not uncommon, I would like to ask . . .
>>
>> You said
>>> I am planning on making the server a member of our corporate domain for
>>> access to it from internal,
>>
>> What does that mean?
>>
>> You characterized content and lack of SSL need. This implies
>> access, even "from internal" could just as well be unauthenticated.
>> So, what does this mean?
>>
>> I often see admins make decisions that from one viewpoint are
>> avoidable exposures of the corp net/assets because from another
>> viewpoint the result would have operational/managerial simplicity
>> (at least on first examination)
>>
>> I am just checking whether your focus is guarding/hardening the
>> IIS system or guarding/hardening the corp domain.
>>
>> --
>> Roger Abell
>> Microsoft MVP (Windows Server : Security)
>>
>> "Rob Gordon" wrote in message
>> news:eUMlg6vzGHA.4392@TK2MSFTNGP04.phx.gbl...
>>>I am planning on posting our public website on IIS running under Windows
>>>Server 2003 R2. Can anyone point me at any good sites or white papers
>>>for the best practices for securing the site for public access? I am
>>>planning on making the server a member of our corporate domain for access
>>>to it from internal, and only allowing monitored forwarded port 80 access
>>>from the public Internet to the site through our firewall.
>>>
>>> The website is only going to contain static pages and nothing
>>> confidential, so SSL won't be necessary.
>>>
>>> All recommendations are welcome. Thanks!
>>>
>>
>>
>
>

Re: Recommendations for securing IIS 6.0 as a public web server

Hi Rob:
Best practices are the following:
1. Get a firewall that allows you to set up a LAN (internal) and a DMZ
(external).
2. Get at a minimum two boxes (servers): one for the outside on the DMZ
serving the web pages, and one internal serving the corporate
requirements on the LAN. You can get fancier by having two boxes on the
DMZ, one with IIS serving the pages, and one holding the SQL databases.
Your internal requirements/ servers, you already have/know.
3. Set up 2 domains: one internal and one external.
4. Get a copy of PC anywhere corporate edition and set it up on the web
server and the development server/workstation on the LAN.
5. Keep a copy of the website(s) on a server/ workstationon the LAN and
perform all website updates on this server/ workstation, then when you
are ready, upload all changes to the web server on the DMZ using PC
anywhere.

This setup keeps all outside stuff on the DMZ and all internal stuff on
the LAN, and unless you set up a trust relationship between the
domains, you have a pretty secure setup.

medman

Re: Recommendations for securing IIS 6.0 as a public web server

Hi Rob:
Best practices are the following:
1. Get a firewall that allows you to set up a LAN (internal) and a DMZ
(external).
2. Get at a minimum two boxes (servers): one for the outside on the DMZ
serving the web pages, and one internal serving the corporate
requirements on the LAN. You can get fancier by having two boxes on the
DMZ, one with IIS serving the pages, and one holding the SQL databases.
Your internal requirements/ servers, you already have/know.
3. Set up 2 domains: one internal and one external.
4. Get a copy of PC anywhere corporate edition and set it up on the web
server and the development server/workstation on the LAN.
5. Keep a copy of the website(s) on a server/ workstationon the LAN and
perform all website updates on this server/ workstation, then when you
are ready, upload all changes to the web server on the DMZ using PC
anywhere.

This setup keeps all outside stuff on the DMZ and all internal stuff on
the LAN, and unless you set up a trust relationship between the
domains, you have a pretty secure setup.

medman

Re: Recommendations for securing IIS 6.0 as a public web server

As to why? I have about 30 folks who work on webpages on my web server.
Making it part of the domain makes permission much easier. Perhaps
that's why he might want it part of the domain.

Roger Abell [MVP] wrote:
> "Rob Gordon" wrote in message
> news:%23DwzO6xzGHA.4648@TK2MSFTNGP04.phx.gbl...
>> I was planning on making the server a member of our internal Windows
>> corporate AD domain.
>
> why?
>
>> Unless the more security minded approach is to make the server a stand
>> alone, so that if it becomes compromised no further actions can be taken
>> against the internal Windows AD domain.
>>
>
> that is ipso facto more defensive.
> but is there a need to do otherwise? i.e. Why?
>
>> I would be interested in hardening both IIS, and doing the most security
>> minded method for keeping the internal domain safe as well.
>>
>> Regards,
>>
>> Rob Gordon
>>
>>
>> "Roger Abell [MVP]" wrote in message
>> news:OMJzEuwzGHA.4796@TK2MSFTNGP06.phx.gbl...
>>> While what you outline is not uncommon, I would like to ask . . .
>>>
>>> You said
>>>> I am planning on making the server a member of our corporate domain for
>>>> access to it from internal,
>>> What does that mean?
>>>
>>> You characterized content and lack of SSL need. This implies
>>> access, even "from internal" could just as well be unauthenticated.
>>> So, what does this mean?
>>>
>>> I often see admins make decisions that from one viewpoint are
>>> avoidable exposures of the corp net/assets because from another
>>> viewpoint the result would have operational/managerial simplicity
>>> (at least on first examination)
>>>
>>> I am just checking whether your focus is guarding/hardening the
>>> IIS system or guarding/hardening the corp domain.
>>>
>>> --
>>> Roger Abell
>>> Microsoft MVP (Windows Server : Security)
>>>
>>> "Rob Gordon" wrote in message
>>> news:eUMlg6vzGHA.4392@TK2MSFTNGP04.phx.gbl...
>>>> I am planning on posting our public website on IIS running under Windows
>>>> Server 2003 R2. Can anyone point me at any good sites or white papers
>>>> for the best practices for securing the site for public access? I am
>>>> planning on making the server a member of our corporate domain for access
>>>> to it from internal, and only allowing monitored forwarded port 80 access
>>> >from the public Internet to the site through our firewall.
>>>> The website is only going to contain static pages and nothing
>>>> confidential, so SSL won't be necessary.
>>>>
>>>> All recommendations are welcome. Thanks!
>>>>
>>>
>>
>
>

Re: Recommendations for securing IIS 6.0 as a public web server

As to why? I have about 30 folks who work on webpages on my web server.
Making it part of the domain makes permission much easier. Perhaps
that's why he might want it part of the domain.

Roger Abell [MVP] wrote:
> "Rob Gordon" wrote in message
> news:%23DwzO6xzGHA.4648@TK2MSFTNGP04.phx.gbl...
>> I was planning on making the server a member of our internal Windows
>> corporate AD domain.
>
> why?
>
>> Unless the more security minded approach is to make the server a stand
>> alone, so that if it becomes compromised no further actions can be taken
>> against the internal Windows AD domain.
>>
>
> that is ipso facto more defensive.
> but is there a need to do otherwise? i.e. Why?
>
>> I would be interested in hardening both IIS, and doing the most security
>> minded method for keeping the internal domain safe as well.
>>
>> Regards,
>>
>> Rob Gordon
>>
>>
>> "Roger Abell [MVP]" wrote in message
>> news:OMJzEuwzGHA.4796@TK2MSFTNGP06.phx.gbl...
>>> While what you outline is not uncommon, I would like to ask . . .
>>>
>>> You said
>>>> I am planning on making the server a member of our corporate domain for
>>>> access to it from internal,
>>> What does that mean?
>>>
>>> You characterized content and lack of SSL need. This implies
>>> access, even "from internal" could just as well be unauthenticated.
>>> So, what does this mean?
>>>
>>> I often see admins make decisions that from one viewpoint are
>>> avoidable exposures of the corp net/assets because from another
>>> viewpoint the result would have operational/managerial simplicity
>>> (at least on first examination)
>>>
>>> I am just checking whether your focus is guarding/hardening the
>>> IIS system or guarding/hardening the corp domain.
>>>
>>> --
>>> Roger Abell
>>> Microsoft MVP (Windows Server : Security)
>>>
>>> "Rob Gordon" wrote in message
>>> news:eUMlg6vzGHA.4392@TK2MSFTNGP04.phx.gbl...
>>>> I am planning on posting our public website on IIS running under Windows
>>>> Server 2003 R2. Can anyone point me at any good sites or white papers
>>>> for the best practices for securing the site for public access? I am
>>>> planning on making the server a member of our corporate domain for access
>>>> to it from internal, and only allowing monitored forwarded port 80 access
>>> >from the public Internet to the site through our firewall.
>>>> The website is only going to contain static pages and nothing
>>>> confidential, so SSL won't be necessary.
>>>>
>>>> All recommendations are welcome. Thanks!
>>>>
>>>
>>
>
>