Security Basics mailing list archives
Re: How to secure access to private network files via IIS 6.0?
From: "Tomasz Onyszko" <t.onyszko () w2k pl>
Date: Fri, 13 Feb 2004 12:06:20 +0100
Ron Rollo wrote:
I am looking for some info on best practices for securing file access to
internet users via IIS 6.0. We have document files that are accessible via our private internal Windows servers, but there is a need to have some of them available for internet users.
Our web server (Windows 2003 Server IIS6.0) is currently in a DMZ behind a
PIX firewall. How can we provide authentication and access to files on the private network via our web server without having to host a seperate copy of those files in the DMZ? If we open up ports 139 or 445 for the web server in the DMZ to enter the inside, wouldn't we be putting our inside environment at a larger risk in the event someone hacks our web server? What are best practices for this type of need? This is generally not good idea in my opinion. But, - cen't You give them acces to Your files with VPN connections terminated on PIX - client is free. If You want to use IIS provide this users with certificates and use certidficate based autenthication - do a hardening for this IIS server and set properiate rights for users on NTFS and share. You don't have to give external users access to 139 and 445 port, but You have to allow You IIS machine to access this, this is possible risk if someone breaks Your web server security, he will be in :(. I will do it with VPN connection to my network, no external (no VPN) acces to web server which will serve document. Access to VPN users restricted only to web server, nothing more (PIX will do it great), authentication based on certificates, hardened IIS and file server, strict event auditing on IIS and file server. External user have only access to 80 port on web server, IIS box has only access to specific ports on file server. -- Tomasz Onyszko - T.Onyszko () w2k pl http://www.w2k.pl --------------------------------------------------------------------------- Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection Protect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO. Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.astaro.com/php/contact/securityfocus.php ----------------------------------------------------------------------------
Current thread:
- How to secure access to private network files via IIS 6.0? Ron Rollo (Feb 12)
- <Possible follow-ups>
- How to secure access to private network files via IIS 6.0? Sistemas Aurensis-Sys Sec (Feb 13)
- How to secure access to private network files via IIS 6.0? Sistemas Aurensis-Sys Sec (Feb 13)
- Re: How to secure access to private network files via IIS 6.0? Tomasz Onyszko (Feb 13)