Danger Will Robinson.... Warning! Danger! OK so it isn't that bad, but I would be frightened putting an NT IIS server out on the internet standing alone. This type of a machine, while it can be locked down is still pretty vulnerable to stack attacks due to the weak stack the MS threw together as an after thought. If you are going to put this box out on the interent all by itself and it was only serving static content then I would say this might be OK, but at least block inbound ports with some router ACL's to give you that warm cozy feeling. If this box is serving up dynamic content that requires you to reach into the enterprise and get some data from your internal DB server, then NO, you should definately put it behind a firewall (and ACL's just to be safe). At the very least Bruce turn off the netbios connections on all interfaces so that some one doesn't walk into your box and suck out the SAM (passwords kept here). Also run a vulnerability scanner (ISS, Cybercop, etc.) against it to make sure you haven't missed anything, rememeber to not load the sample files on IIS. I think also Lance Spitzner wrote a paper on armoring NT, check out http://www.enteract.com/~lspitz/pubs.html there should be something there that is in PLAIN english that can help you. just my paranoid .02 -Kyle Information Security MSDW Online -----Original Message----- From: Bruce H. Nearon [mailto:bhnat_private] Sent: Saturday, February 12, 2000 8:03 AM To: firewall-wizardsat_private Subject: mitigating the lack of a firewall Suppose an Internet site does not have a firewall. Can a securely configured IIS 4.0 server running under securely configured NT 4.0 protect the site from unauthorized access and denial of service attacks? Bruce Nearon, CPA The Cohn Consulting Group Roseland, New jersey
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:03:42 PDT