[ previous ] [ next ] [ threads ]
 
 From:  Chris Buechler <cbuechler at gmail dot com>
 To:  Michael Monaghan <mmonaghan at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] External Authentication
 Date:  Fri, 10 Sep 2004 00:49:08 -0400 
On Thu, 9 Sep 2004 20:09:23 -0400, Michael Monaghan <mmonaghan at gmail dot com> wrote:
> I have a customer that has an Microsoft IIS Web Server behind their
> firewall.  Recently they were root kitted and we had to format the
> server.  If we had a choice we'd use open source, peer reviewed
> software but a vendor has mandated Windows and IIS as the solution.
> I'd like to improve the security of the system by locking out all but
> authorized users (it isn't a public website).  Using IIS' internal
> authentication doesn't prevent many of the known attacks so my thought
> was to authenticate at the firewall.
> 

That'd be a support nightmare, and I don't know if it would even be possible.  

Put the IIS box in the DMZ, restrict it from making outbound
connections (maybe other than windowsupdate.microsoft.com) as well as
making connections to the LAN.  Then lock it down appropriately using
the IIS lockdown tool and MS's guide to securing IIS. 
http://www.microsoft.com/windows2000/downloads/recommended/iislockdown/default.asp
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/iis/deploy/depovg/securiis.mspx

Also review the security of the application itself.  A locked down IIS
(or Apache for that matter) isn't going to do you a bit of good if the
application allows anybody to execute anything (as one example of a
common flaw in web apps on *nix and Windows).

This probably isn't going to be a popular opinion amongst this
community, but IIS locked down properly is almost as secure as Apache
locked down properly.  With a well secured web server on either
platform, your biggest risk is going to be a poorly programmed web
application, or a lack of patches (Apache gets popped frequently as
well).

Had the appropriate due dilligence been taken in securing things
before opening them to the internet (whether they're *nix, Windows, or
your Xbox or toaster for that matter), they wouldn't have had this
issue in the first place.  Hell even without patches, using the
URLScan tool (part of IIS lockdown) and restricting outbound
connections makes it many many times more difficult to crack a box.

(a box with URLScan installed, even completely unpatched, is not
vulnerable to Code Red, Nimda, and the majority of other IIS exploits,
because it does just as it says, filters URL's.  It limits them to a
certain length, doesn't allow any odd characters, etc., which makes
many future unknown vulnerabilities exploitable as well.  )

Or if you don't want to worry quite as much about locking it down, run
it on Server 2003.  It has IIS pretty well locked down with out of the
box defaults.  Still some measures to take for the best level
security, see technet.microsoft.com to find info.

Not saying I prefer Windows, but about half the servers I manage are
Windows, many of them for internet-accessible services.  (The other
half are FreeBSD)  I much prefer FreeBSD, but Windows, when secured
properly, isn't what people make it out to be.

-Chris