Open port 80, security issues?

Hi.

This might not be the right forum for my question, but still I throw it out:

I have just succeeded in publishing my ASP.NET web application on my own PC,
opening port 80 in/out in my firewall, so now it is accessable from
internet. It is running on IIS own WinXP.

So far I haven't exeperienced any problem, but are there actions I should
take to secure my PC against hackers, now that port 80 is open? Like add-on
s/w or other smart stuff?

Thanks.

Regards
Bjorn

Re: Open port 80, security issues?

I don't believe so...but bare in mind Im no expert...

As long as your filewall stops access to all those other things you dont
want people having access to....like say sql server or whatnot...

Make sure you got all the latest service packs etc

The security holes will come in from your code so as long as your have
security holes in it like sql injection and protection from brute force
stuff...Then make sure your IIS settings has only the minimum access that
your application needs and I think you are safe..

http://httpsentry.httpsentry-com.qarchive.org/ <-- I just googling and found
this, I cannot verify the product is of use, but if you google all the
things it claims to report on, you will know well enough...

Anyone else know?


"Bjorn Sagbakken" wrote in message
news:UuGdnW5zUNYi6vba4p2dnAA@telenor.com...
> Hi.
>
> This might not be the right forum for my question, but still I throw it
> out:
>
> I have just succeeded in publishing my ASP.NET web application on my own
> PC, opening port 80 in/out in my firewall, so now it is accessable from
> internet. It is running on IIS own WinXP.
>
> So far I haven't exeperienced any problem, but are there actions I should
> take to secure my PC against hackers, now that port 80 is open? Like
> add-on s/w or other smart stuff?
>
> Thanks.
>
> Regards
> Bjorn
>

Re: Open port 80, security issues?

"Bjorn Sagbakken" wrote in message
news:UuGdnW5zUNYi6vba4p2dnAA@telenor.com...
> Hi.
>
> This might not be the right forum for my question, but still I throw it
> out:
>
> I have just succeeded in publishing my ASP.NET web application on my own
> PC, opening port 80 in/out in my firewall, so now it is accessable from
> internet. It is running on IIS own WinXP.
>
> So far I haven't exeperienced any problem, but are there actions I should
> take to secure my PC against hackers, now that port 80 is open? Like
> add-on s/w or other smart stuff?
>

1) Win XP is not a Web server platform, and you shouldn't be exposing a
workstation to the Internet. If you're going to do such a thing, the you
should be using Win 2k3 server, which is a Web server platform.

2) If the O/S, file system, registry, user accounts, and IIS itself are not
secured/harden to attack, then all you have is hack bait that can be used as
a jumping off point to attack other Web servers and other networks over the
Internet from your computer There are entire books used by professionals,
and they can hardly secure the Win NT based O/S platform facing the
Internet.

3) I'll assume you're talking about XP's firewall or some 3rd party personal
firewall. They are not firewalls. They are machine level packet filters. A
firewall separates two networks. It protects from the network it's
protecting from usually the Internet, and it protects the network it's
protecting the LAN. I firewall must have at least two interfaces. One
interface must face the WAN/Internet and the other interface must face the
LAN. In the case of a software firewall solution running on secured gateway
host computer, the host computer will have at least two network interface
cards (NICS) with one facing the WAN and the other one facing the LAN.

http://www.vicomsoft.com/knowledge/reference/firewalls1.html

The list is long as to what you should being doing that you don't have the
expertise to do.

I hate to be blunt about it, but I think you have put up hack bait that has
already been hacked, and you don't know about it.

Re: Open port 80, security issues?

Thanks for your input. I will try filters like httpsentry.

Bjorn

"John" wrote in message
news:fkr3k102d1l@news2.newsguy.com...
>I don't believe so...but bare in mind Im no expert...
>
> As long as your filewall stops access to all those other things you dont
> want people having access to....like say sql server or whatnot...
>
> Make sure you got all the latest service packs etc
>
> The security holes will come in from your code so as long as your have
> security holes in it like sql injection and protection from brute force
> stuff...Then make sure your IIS settings has only the minimum access that
> your application needs and I think you are safe..
>
> http://httpsentry.httpsentry-com.qarchive.org/ <-- I just googling and
> found this, I cannot verify the product is of use, but if you google all
> the things it claims to report on, you will know well enough...
>
> Anyone else know?
>
>
> "Bjorn Sagbakken" wrote in message
> news:UuGdnW5zUNYi6vba4p2dnAA@telenor.com...
>> Hi.
>>
>> This might not be the right forum for my question, but still I throw it
>> out:
>>
>> I have just succeeded in publishing my ASP.NET web application on my own
>> PC, opening port 80 in/out in my firewall, so now it is accessable from
>> internet. It is running on IIS own WinXP.
>>
>> So far I haven't exeperienced any problem, but are there actions I should
>> take to secure my PC against hackers, now that port 80 is open? Like
>> add-on s/w or other smart stuff?
>>
>> Thanks.
>>
>> Regards
>> Bjorn
>>
>
>

Re: Open port 80, security issues?

"Mr. Arnold" wrote in message
news:u2QMY72RIHA.4684@TK2MSFTNGP02.phx.gbl...
>
> "Bjorn Sagbakken" wrote in message
> news:UuGdnW5zUNYi6vba4p2dnAA@telenor.com...
>> Hi.
>>
>> This might not be the right forum for my question, but still I throw it
>> out:
>>
>> I have just succeeded in publishing my ASP.NET web application on my own
>> PC, opening port 80 in/out in my firewall, so now it is accessable from
>> internet. It is running on IIS own WinXP.
>>
>> So far I haven't exeperienced any problem, but are there actions I should
>> take to secure my PC against hackers, now that port 80 is open? Like
>> add-on s/w or other smart stuff?
>>
>
> 1) Win XP is not a Web server platform, and you shouldn't be exposing a
> workstation to the Internet. If you're going to do such a thing, the you
> should be using Win 2k3 server, which is a Web server platform.

At the moment I am only testing, but I take your advise, so if the
appliaction ends up more permanently I will set up a different machine with
Win 2k3

> 2) If the O/S, file system, registry, user accounts, and IIS itself are
> not secured/harden to attack, then all you have is hack bait that can be
> used as a jumping off point to attack other Web servers and other networks
> over the Internet from your computer There are entire books used by
> professionals, and they can hardly secure the Win NT based O/S platform
> facing the Internet.

Scary stuff, indeed. But of course, that was the reason I asked.

> 3) I'll assume you're talking about XP's firewall or some 3rd party
> personal firewall. They are not firewalls. They are machine level packet
> filters. A firewall separates two networks. It protects from the network
> it's protecting from usually the Internet, and it protects the network
> it's protecting the LAN. I firewall must have at least two interfaces.
> One interface must face the WAN/Internet and the other interface must face
> the LAN. In the case of a software firewall solution running on secured
> gateway host computer, the host computer will have at least two network
> interface cards (NICS) with one facing the WAN and the other one facing
> the LAN.
>
> http://www.vicomsoft.com/knowledge/reference/firewalls1.html
>
> The list is long as to what you should being doing that you don't have the
> expertise to do.
>
> I hate to be blunt about it, but I think you have put up hack bait that
> has already been hacked, and you don't know about it.

Thanks for the information. I will also check with my company's it-personell
about the best approach for securing a
personal web server, like a host computer or a recommended s/w firewall.

Bjorn