Firewall Wizards mailing list archives
RE: FW-1, HTTP access and strength of IIS security
From: Siglite <siglite () criticalstop com>
Date: Wed, 8 Sep 1999 07:42:30 -0400 (EDT)
Amen. And, in addition: As a general policy, we remove all default configurations, sample, and administrative pages and scripts from any new IIS installation. I recommend doing this unless you have some VERY strong reason for keeping them there. At the least, disable or remove them from your site via the MMC. /*-----------------------------------*/ /* I live with FEAR every day. */ /* But, sometimes, she lets me RACE. */ /*-----------------------------------*/ KT Morgan Network Engineer Checkpoint Firewall-1 CCSA/CCSE Microsoft MCP Software Systems Group, Inc On Tue, 7 Sep 1999, Thomas Crowe wrote:
Scott; It obvious that your serious about protecting your site and the information contained therein. Locking down the access to that box to only allow port 443 is a great FIRST step. Be very aware however that IIS does have a known buffer overflow that can be easily exploited, I know it works on port 80, I do not know if it has been tried on port 443, the overflow is contained in a .dll that handles .htr files, I believe. As long as your not supporting .htr files (I think they are used for changing SAM stored passwords through IIS) you should be safe from that exploit. I would like to throw out a few other things to consider. Are ALL boxes behind the firewall locked down in the same manner, i.e. your dns server, your mail server, etc... if one of these machines are comprimised then an intruder has free access to your nt machine and your firewall will never see it. Is your firewall fully locked down? If on unix is it only running the minimum daemons or on NT are ALL hot fixes applied and service pack up to date? Also are all services shutdown, except what is REALLY needed. Is your firewall configured as a member server in a domain or by itself, I wouldn't EVER put a firewall in the domain, coomprimising one system in the domain opens up ALL machines in the domain. Just thought that I would add my $0.02 hope it helps. Thomas Crowe Production Network Systems Administrator BellSouth Online-----Original Message----- From: owner-firewall-wizards () lists nfr net [mailto:owner-firewall-wizards () lists nfr net]On Behalf Of Briercheck, Scott Sent: Sunday, September 05, 1999 4:29 PM To: 'firewall-wizards () nfr net' Subject: FW-1, HTTP access and strength of IIS security I'm hoping to get a little advice. I'm setting up an IIS 4.0 website that has code to manage its own logins and user state (it doesn't just rely on NT directory security - you can have a "web" account on the site without having an NT account on the machine). The "web" account IDs and passwords are stored in a SQL 7.0 database that will also be behind the firewall. In front of the web site I'm planning on putting FW-1 running on Solaris. The firewall will only allow SHTTP to the IIS web server on port 443. I expect that it should look no different to the web user than before I put the firewall up. Other than SHTTP, nothing else will be allowed through. My first question is this: Is IIS + FW-1 sufficient security for sensitive information. I've been told by various security consultants that it is, but I'm starting to have reservations. I know that nothing can guarantee against a break-in, but is this a good choice - can I feel reasonably confident relying on the Firewall plus the IIS-supported login to be my primary mode of security (assuming MY code is good....is IIS 4.0 good enough)? I worry about buffer overflow attacks, and other types of hacks, since I will be allowing SHTTP through the firewall and right to the website. This means that I need to rely on IIS being robust enough. My second question is a followup to the first: Can I enhance the security by having the users be forced to log into FW-1 at the firewall before granting access to the website? The FW consultants and I discussed the idea of putting a RADIUS server (from Livingston software) into the security package. The Radius server would authenticate users at the Firewall (using their login ID stored inside the SQL 7.0 database). With this setup, not even SHTTP would be allowed past FW-1 unless the user first authenticates at the Firewall to gain a connection. The problem is that I'm being told this "firewall" login would have to be done in HTTP (plain text), and not SHTTP. I had hoped to have a single login for the users, but I do not want them sending their password in plain text. This means that I would need to add a one-time password scheme (secure-ID card ). If they successfully log into the firewall, then they have a second login at the IIS login screen to actually access the website. The third questions is: Has anyone implemented this type of "firewall" login using a Radius server (or something similar). Is there something out there that supports HTTPS for the firewall login. I would really rather not implement a secure ID card if I don't have to, as we will be dealing with many distributed users, so card management will be a pain. Thoughts or comments are appreciated. Thanks, Scott brierchecks () msx upmc edu
Current thread:
- FW-1, HTTP access and strength of IIS security Briercheck, Scott (Sep 07)
- RE: FW-1, HTTP access and strength of IIS security Thomas Crowe (Sep 07)
- RE: FW-1, HTTP access and strength of IIS security Siglite (Sep 08)
- RE: FW-1, HTTP access and strength of IIS security Thomas Crowe (Sep 07)