Amen.
And, in addition:
As a general policy, we remove all default configurations, sample, and
administrative pages and scripts from any new IIS installation. I
recommend doing this unless you have some VERY strong reason for keeping
them there. At the least, disable or remove them from your site via the
MMC.
/*-----------------------------------*/
/* I live with FEAR every day. */
/* But, sometimes, she lets me RACE. */
/*-----------------------------------*/
KT Morgan
Network Engineer
Checkpoint Firewall-1 CCSA/CCSE
Microsoft MCP
Software Systems Group, Inc
On Tue, 7 Sep 1999, Thomas Crowe wrote:
> Scott;
>
> It obvious that your serious about protecting your site and the information
> contained therein. Locking down the access to that box to only allow port
> 443 is a great FIRST step. Be very aware however that IIS does have a known
> buffer overflow that can be easily exploited, I know it works on port 80, I
> do not know if it has been tried on port 443, the overflow is contained in a
> .dll that handles .htr files, I believe. As long as your not supporting
> .htr files (I think they are used for changing SAM stored passwords through
> IIS) you should be safe from that exploit. I would like to throw out a few
> other things to consider. Are ALL boxes behind the firewall locked down in
> the same manner, i.e. your dns server, your mail server, etc... if one of
> these machines are comprimised then an intruder has free access to your nt
> machine and your firewall will never see it. Is your firewall fully locked
> down? If on unix is it only running the minimum daemons or on NT are ALL hot
> fixes applied and service pack up to date? Also are all services shutdown,
> except what is REALLY needed. Is your firewall configured as a member
> server in a domain or by itself, I wouldn't EVER put a firewall in the
> domain, coomprimising one system in the domain opens up ALL machines in the
> domain. Just thought that I would add my $0.02 hope it helps.
>
> Thomas Crowe
> Production Network Systems Administrator
> BellSouth Online
>
> > -----Original Message-----
> > From: owner-firewall-wizards_at_lists.nfr.net
> > [mailto:owner-firewall-wizards_at_lists.nfr.net]On Behalf Of Briercheck,
> > Scott
> > Sent: Sunday, September 05, 1999 4:29 PM
> > To: 'firewall-wizards_at_nfr.net'
> > Subject: FW-1, HTTP access and strength of IIS security
> >
> >
> > I'm hoping to get a little advice. I'm setting up an IIS 4.0 website that
> > has code to manage its own logins and user state (it doesn't just
> > rely on NT
> > directory security - you can have a "web" account on the site
> > without having
> > an NT account on the machine). The "web" account IDs and passwords are
> > stored in a SQL 7.0 database that will also be behind the firewall.
> >
> > In front of the web site I'm planning on putting FW-1 running on Solaris.
> > The firewall will only allow SHTTP to the IIS web server on port 443. I
> > expect that it should look no different to the web user than before I put
> > the firewall up. Other than SHTTP, nothing else will be allowed through.
> >
> > My first question is this: Is IIS + FW-1 sufficient security for
> > sensitive
> > information. I've been told by various security consultants that
> > it is, but
> > I'm starting to have reservations. I know that nothing can guarantee
> > against a break-in, but is this a good choice - can I feel reasonably
> > confident relying on the Firewall plus the IIS-supported login to be my
> > primary mode of security (assuming MY code is good....is IIS 4.0 good
> > enough)? I worry about buffer overflow attacks, and other types of hacks,
> > since I will be allowing SHTTP through the firewall and right to the
> > website. This means that I need to rely on IIS being robust enough.
> >
> > My second question is a followup to the first: Can I enhance the security
> > by having the users be forced to log into FW-1 at the firewall before
> > granting access to the website? The FW consultants and I
> > discussed the idea
> > of putting a RADIUS server (from Livingston software) into the security
> > package. The Radius server would authenticate users at the
> > Firewall (using
> > their login ID stored inside the SQL 7.0 database). With this setup, not
> > even SHTTP would be allowed past FW-1 unless the user first
> > authenticates at
> > the Firewall to gain a connection.
> >
> > The problem is that I'm being told this "firewall" login would have to be
> > done in HTTP (plain text), and not SHTTP. I had hoped to have a single
> > login for the users, but I do not want them sending their
> > password in plain
> > text. This means that I would need to add a one-time password scheme
> > (secure-ID card ). If they successfully log into the firewall, then they
> > have a second login at the IIS login screen to actually access
> > the website.
> >
> > The third questions is: Has anyone implemented this type of "firewall"
> > login using a Radius server (or something similar). Is there
> > something out
> > there that supports HTTPS for the firewall login. I would really
> > rather not
> > implement a secure ID card if I don't have to, as we will be dealing with
> > many distributed users, so card management will be a pain.
> >
> > Thoughts or comments are appreciated.
> >
> > Thanks,
> >
> > Scott
> >
> > brierchecks_at_msx.upmc.edu
> >
> >
>
Received on Sep 08 1999
Intro
