Securing IIS v6

start here:

<a style='text-decoration: underline;' href="http://www.microsoft.com/smallbusiness/gtm/securityguidance/articles/sec_iis_6_0.mspx" target="_blank">http://www.microsoft.com/smallbusiness/gtm/securityguidance/articles/s...iis_6_0</a>

or

<a style='text-decoration: underline;' href="http://tinyurl.com/2qcnq" target="_blank">http://tinyurl.com/2qcnq</a>

"doug" <anonymous RemoveThis @discussions.microsoft.com> wrote in message
news:2f0801c428a0$7b9c0f40$a501280a@phx.gbl...
 > Updates, updates and more updates, especially any that
 > are security related. Look at the ISP that is hosting
 > your server. See what they have to offer.
 >
 > doug
  > >-----Original Message-----
  > >Hello,
  > >
  > >I'm currently looking at putting a Windows Server 2003 /
 > IIS v6.0 server in
  > >a co-located environment so that it can be accessed by
 > the general public on
  > >the Internet. The IIS server will be serving up
 > ASP/ASP.NET, Web Services
<font color=green>  > >and <a style='text-decoration: underline;' href="http://FTP.</font" target="_blank">FTP.</font</a>>
  > >
  > >I was wondering if putting this server behind an ISA
 > Firewall with server
  > >publishing is enough in terms of protection? What else
 > can/should I do to
  > >protect the box from being hacked?
  > >
  > >Thanks!
  > >-ZD
  > >
  > >
  > >
  > >.
  > ><!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Securing IIS v6 

Server2003 isn't a feeble OS. It can stand on it's own exposed to the
Internet as long as it is configured securely and kept updated. Putting it
behind ISA will of course help some and can be Server Published or Web
Published depending on your needs. I'm sure there are some security guides
in MS's site for deploying a 2003 webserver, but I don't have any links. But
be careful about going "over board" with any "hardening" if you are going to
put it behind ISA because in that scenario it still needs to be able to
function on the LAN.

--

Phillip Windell [MCP, MVP, CCNA]
<a style='text-decoration: underline;' href="http://www.wandtv.com" target="_blank">www.wandtv.com</a>

"Z D" <NOSPAM DeleteThis @NOSPAM.com> wrote in message
news:e1vVo8JKEHA.3592@TK2MSFTNGP09.phx.gbl...
 > Hello,
 >
 > I'm currently looking at putting a Windows Server 2003 / IIS v6.0 server
in
 > a co-located environment so that it can be accessed by the general public
on
 > the Internet. The IIS server will be serving up ASP/ASP.NET, Web
Services
<font color=purple> > and <a style='text-decoration: underline;' href="http://FTP.</font" target="_blank">FTP.</font</a>>
 >
 > I was wondering if putting this server behind an ISA Firewall with server
 > publishing is enough in terms of protection? What else can/should I do to
 > protect the box from being hacked?
 >
 > Thanks!
 > -ZD
 >
 >
 ><!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Securing IIS v6 

Thanks for the links!

-ZD
"Consultant" <consultant_mcngp.TakeThisOut@yahoo.com> wrote in message
news:uwSdHHKKEHA.2576@TK2MSFTNGP12.phx.gbl...
 > start here:
 >
 >
<a style='text-decoration: underline;' href="http://www.microsoft.com/smallbusiness/gtm/securityguidance/articles/sec_iis_6_0.mspx" target="_blank">http://www.microsoft.com/smallbusiness/gtm/securityguidance/articles/s...iis_6_0</a>
 >
 > or
 >
<font color=purple> > <a style='text-decoration: underline;' href="http://tinyurl.com/2qcnq</font" target="_blank">http://tinyurl.com/2qcnq</font</a>>
 >
 > "doug" <anonymous.TakeThisOut@discussions.microsoft.com> wrote in message
 > news:2f0801c428a0$7b9c0f40$a501280a@phx.gbl...
  > > Updates, updates and more updates, especially any that
  > > are security related. Look at the ISP that is hosting
  > > your server. See what they have to offer.
  > >
  > > doug
   > > >-----Original Message-----
   > > >Hello,
   > > >
   > > >I'm currently looking at putting a Windows Server 2003 /
  > > IIS v6.0 server in
   > > >a co-located environment so that it can be accessed by
  > > the general public on
   > > >the Internet. The IIS server will be serving up
  > > ASP/ASP.NET, Web Services
<font color=brown>   > > >and <a style='text-decoration: underline;' href="http://FTP.</font" target="_blank">FTP.</font</a>>
   > > >
   > > >I was wondering if putting this server behind an ISA
  > > Firewall with server
   > > >publishing is enough in terms of protection? What else
  > > can/should I do to
   > > >protect the box from being hacked?
   > > >
   > > >Thanks!
   > > >-ZD
   > > >
   > > >
   > > >
   > > >.
   > > >
 >
 ><!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Securing IIS v6 

Phillip,

Thanks for the response. Good point. Guess I have to figureout the
tradeoffs between making it too hard vs having it operational on the
internal LAN.

So is it safe to assume the only way an attacker could hit the machine is on
port 80?

Thanks!
-ZD

"Phillip Windell" <@.> wrote in message
news:uB5RWdTKEHA.2144@TK2MSFTNGP10.phx.gbl...
 > Server2003 isn't a feeble OS. It can stand on it's own exposed to the
 > Internet as long as it is configured securely and kept updated. Putting
it
 > behind ISA will of course help some and can be Server Published or Web
 > Published depending on your needs. I'm sure there are some security
guides
 > in MS's site for deploying a 2003 webserver, but I don't have any links.
But
 > be careful about going "over board" with any "hardening" if you are going
to
 > put it behind ISA because in that scenario it still needs to be able to
 > function on the LAN.
 >
 > --
 >
 > Phillip Windell [MCP, MVP, CCNA]
<font color=purple> > <a style='text-decoration: underline;' href="http://www.wandtv.com</font" target="_blank">www.wandtv.com</font</a>>
 >
 > "Z D" <NOSPAM.DeleteThis@NOSPAM.com> wrote in message
 > news:e1vVo8JKEHA.3592@TK2MSFTNGP09.phx.gbl...
  > > Hello,
  > >
  > > I'm currently looking at putting a Windows Server 2003 / IIS v6.0 server
 > in
  > > a co-located environment so that it can be accessed by the general
public
 > on
  > > the Internet. The IIS server will be serving up ASP/ASP.NET, Web
 > Services
<font color=green>  > > and <a style='text-decoration: underline;' href="http://FTP.</font" target="_blank">FTP.</font</a>>
  > >
  > > I was wondering if putting this server behind an ISA Firewall with
server
  > > publishing is enough in terms of protection? What else can/should I do
to
  > > protect the box from being hacked?
  > >
  > > Thanks!
  > > -ZD
  > >
  > >
  > >
 >
 ><!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Securing IIS v6 

If it is Server Published from behind ISA then the user will contact 80
(and/or/maybe 443) directly just as if it was directly exposed to the
Internet. However all other ports would not be exposed since ISA is only
publishing what is required.

If it is Web Published then the users are contacting only ISA and then ISA
is "proxying" the request back to the published web server, so it is a bit
of a different concept.

In my opinion, if it is behind ISA (either method), then there really isn't
much"hardening" being done to the web server at all since it must be able to
function on the LAN. It is when you place it outside the system "on its
own" that you have to get picky about it.


--

Phillip Windell [MCP, MVP, CCNA]
<a style='text-decoration: underline;' href="http://www.wandtv.com" target="_blank">www.wandtv.com</a>


"Z D" <NOSPAM.RemoveThis@NOSPAM.com> wrote in message
news:Okr4$BUKEHA.3492@TK2MSFTNGP09.phx.gbl...
 > Phillip,
 >
 > Thanks for the response. Good point. Guess I have to figureout the
 > tradeoffs between making it too hard vs having it operational on the
 > internal LAN.
 >
 > So is it safe to assume the only way an attacker could hit the machine is
on
 > port 80?
 >
 > Thanks!
 > -ZD
 >
 > "Phillip Windell" <@.> wrote in message
 > news:uB5RWdTKEHA.2144@TK2MSFTNGP10.phx.gbl...
  > > Server2003 isn't a feeble OS. It can stand on it's own exposed to the
  > > Internet as long as it is configured securely and kept updated. Putting
 > it
  > > behind ISA will of course help some and can be Server Published or Web
  > > Published depending on your needs. I'm sure there are some security
 > guides
  > > in MS's site for deploying a 2003 webserver, but I don't have any links.
 > But
  > > be careful about going "over board" with any "hardening" if you are
going
 > to
  > > put it behind ISA because in that scenario it still needs to be able to
  > > function on the LAN.
  > >
  > > --
  > >
  > > Phillip Windell [MCP, MVP, CCNA]
<font color=green>  > > <a style='text-decoration: underline;' href="http://www.wandtv.com</font" target="_blank">www.wandtv.com</font</a>>
  > >
  > > "Z D" <NOSPAM.RemoveThis@NOSPAM.com> wrote in message
  > > news:e1vVo8JKEHA.3592@TK2MSFTNGP09.phx.gbl...
   > > > Hello,
   > > >
   > > > I'm currently looking at putting a Windows Server 2003 / IIS v6.0
server
  > > in
   > > > a co-located environment so that it can be accessed by the general
 > public
  > > on
   > > > the Internet. The IIS server will be serving up ASP/ASP.NET, Web
  > > Services
<font color=brown>   > > > and <a style='text-decoration: underline;' href="http://FTP.</font" target="_blank">FTP.</font</a>>
   > > >
   > > > I was wondering if putting this server behind an ISA Firewall with
 > server
   > > > publishing is enough in terms of protection? What else can/should I
do
 > to
   > > > protect the box from being hacked?
   > > >
   > > > Thanks!
   > > > -ZD
   > > >
   > > >
   > > >
  > >
  > >
 >
 ><!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Securing IIS v6