|
Posted by =?Utf-8?B?UGV0ZXIgSGFhc2U=?= on November 21, 2006, 4:08 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Hi,
I'm doing some work for a company that has an MS network where their
firewall is a Cisco 800 device. The company public website sits on a server
that is also a windows 2000 domain controller and the exchange 2000 server
for the internal domain. There is a security need to keep internal patent
documents secure (they reside on a file server on the internal domain not
accessible directly by the public).
I know the configuration has security issues and want to address those,
especially as Exchange is going to be upgraded to 2003 and it's not
recommended it be on a DC. The hard part is I need good reasons for
management to accept that change is required. Can someone point me in the
direction of some white papers or articles on potential issues we could
encounter with the current design?
Any help would be greatly appreciated.
Thanks
Peter
|
|
Posted by Lanwench [MVP - Exchange] on November 22, 2006, 10:10 am
If you were Registered and logged in, you could reply and use other advanced thread options
> Hi,
>
> I'm doing some work for a company that has an MS network where their
> firewall is a Cisco 800 device. The company public website sits on a
> server that is also a windows 2000 domain controller and the exchange
> 2000 server for the internal domain. There is a security need to keep
> internal patent documents secure (they reside on a file server on the
> internal domain not accessible directly by the public).
>
> I know the configuration has security issues and want to address
> those, especially as Exchange is going to be upgraded to 2003 and
> it's not recommended it be on a DC. The hard part is I need good
> reasons for management to accept that change is required. Can someone
> point me in the direction of some white papers or articles on
> potential issues we could encounter with the current design?
>
> Any help would be greatly appreciated.
>
> Thanks
> Peter
OK - so, you probably know all this, and your management doesn't. It's hard
for me to think of official documentation outlining exactly *why* this is an
incredibly stupid thing to do, because, well, it seems a bit obvious - kind
of like asking "How do I keep my apartment from from being robbed, while
still leaving my door unlocked?"
Attacks on port 80 are commonplace, and even with a fully patched Windows
box you're seriously asking for trouble, especially in versions prior to
2003. (I don't even allow Internet access to OWA unless I force SSL on it.)
Exposing your domain controllers, Exchange servers, even regular file/print
servers, to the Internet like this is foolhardy - one hack/exploit, and
you're toast.
A web server should do nothing else - and it should not be on your
company's LAN at all, but on an isolated network. [Heck, maybe it shouldn't
even be a Windows or IIS box.]
If your company doesn't have the infrastructure or budget to properly host
the website themselves even in a DMZ (which seems possible given the
configuration they've got now), they should look into third party webhosting
services, as these have become incredibly affordable. A good hosting company
has racks of servers in a datacenter with redundant Internet connectivity,
power conditioning, monitoring, and so forth....and they can afford to
provide service to a lot of companies at a reasonable price due to volume.
I'd want to ask your management why they think it's a good idea to maintain
the current configuration, and make *them* justify it - especially given
that they've acknowleged that their data is incredibly sensitive.
[Note that Exchange really shouldn't be installed on a DC at all, in *any*
version - although it can work that way. Just never ever ever run dcpromo
on a box already running Exchange, to promote or demote it. ]
|
|
Posted by =?Utf-8?B?SWFu?= on November 22, 2006, 12:01 pm
If you were Registered and logged in, you could reply and use other advanced thread options
answer. Even t hen it's one of the higher-risk activities, and so should be
in a DMZ.
|
|
Posted by Bogwitch on November 22, 2006, 12:14 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> If you want to host a website internally, then Linux/Apache is the
sensible
> answer. Even t hen it's one of the higher-risk activities, and so
should be
> in a DMZ.
Ian,
Let me start by saying I am in no way a Microsoft evangelist.
Whilst I understand your recommendation of Linux/ Apache, it is not
always the best choice. If the in-house IT team have no experience of
using Linux, the chances that the system will soon become an unpatched,
festering pile of dung, to be rooted by the next script-kiddie, are
fairly high.
Corporate IT skills still tend to be largely Microsoft biased and a
patched Microsoft box will be more secure than an unpatched Linux box.
Bogwitch.
PS. If security is your aim, wouldn't a variant of BSD be better than
Linux?
|
|
Posted by =?Utf-8?B?SWFu?= on November 23, 2006, 4:48 am
If you were Registered and logged in, you could reply and use other advanced thread options
"Bogwitch" wrote:
> Corporate IT skills still tend to be largely Microsoft biased and a
> patched Microsoft box will be more secure than an unpatched Linux box.
That is a point, though IMLI getting Linux webservers to work is actually
much easier than getting Windows webservers to work, especially when it comes
to database backends, etc. And I'm no linux guru.
>
> PS. If security is your aim, wouldn't a variant of BSD be better than
> Linux?
Yes.
The main point with any webserver is to regard its regard its data as
expendable in the event of it being compromised. (Think:Backup) That, and to
ensure that it has no file-sharing or RPC/DCOM access to other computers, so
that if compromised it cannot be used as a means to attack the LAN.
|
| Similar Threads | Posted | | Network Security | May 27, 2005, 1:29 pm |
| Network security | May 21, 2007, 11:52 am |
| network security | June 25, 2007, 5:18 am |
| Network Security Scanner | September 5, 2005, 2:15 pm |
| Network Security Scanner | September 5, 2005, 2:15 pm |
| Local v. Network Security | October 24, 2005, 4:32 pm |
| laptop > network security | December 7, 2005, 10:32 am |
| General Network Security question | October 19, 2005, 4:19 am |
| Very basic network security question | November 17, 2005, 6:44 pm |
| Security: Network Admins vs. SQL Programmers | May 23, 2006, 3:47 pm |
|
XML site map