Security Basics mailing list archives

Re: How to secure access to private network files via IIS 6.0?

From: "Tomasz Onyszko" <t.onyszko () w2k pl>
Date: Fri, 13 Feb 2004 12:06:20 +0100

Ron Rollo wrote:


I am looking for some info on best practices for securing file access to

internet users via IIS 6.0.  We have document files that are accessible via
our private internal Windows servers, but there is a need to have some of them
available for internet users.

Our web server (Windows 2003 Server IIS6.0) is currently in a DMZ behind a

PIX firewall. How can we provide authentication and access to files on the
private network via our web server without having to host a seperate copy of
those files in the DMZ? If we open up ports 139 or 445 for the web server in
the DMZ to enter the inside, wouldn't we be putting our inside environment at
a larger risk in the event someone hacks our web server?  What are best
practices for this type of need?

This is generally not good idea in my opinion. But, - cen't You give them
acces to Your files with VPN connections terminated on PIX - client is free. 

If You want to use IIS provide this users with certificates and use
certidficate based autenthication - do a hardening for this IIS server and set
properiate rights for users on NTFS and share.

You don't have to give external users access to 139 and 445 port, but You have
to allow You IIS machine to access this, this is possible risk if someone
breaks Your web server security, he will be in :(.

I will do it with VPN connection to my network, no external (no VPN) acces to
web server which will serve document. Access to VPN users restricted only to
web server, nothing more  (PIX will do it great), authentication based on
certificates, hardened IIS and file server, strict event auditing on IIS and
file server. External user have only access to 80 port on web server, IIS box
has only access to specific ports on file server.

-- 
Tomasz Onyszko - T.Onyszko () w2k pl
http://www.w2k.pl


---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.astaro.com/php/contact/securityfocus.php
----------------------------------------------------------------------------

Current thread:

How to secure access to private network files via IIS 6.0? Ron Rollo (Feb 12)
- <Possible follow-ups>
- How to secure access to private network files via IIS 6.0? Sistemas Aurensis-Sys Sec (Feb 13)
- How to secure access to private network files via IIS 6.0? Sistemas Aurensis-Sys Sec (Feb 13)
- Re: How to secure access to private network files via IIS 6.0? Tomasz Onyszko (Feb 13)