4553

NO!!!! That pretty much summarizes my feelings on this topic. I have seen this proposed as a configuration before many times. The web guys say they need HA SQL for their web site data and then they figure that since they are getting a cluster that they can use it for IIS, too. No, don’t do it. While at first glance it makes some sense, if you start thinking big picture, then you start seeing the problems. First off, the big picture for an HA website with HA SQL backend should look like this: Clients connect to the Internet to … Continue reading Clustering IIS and SQL on the Same Boxes

Aahh, the joys of meeting SOX requirements…   Tonight, I am having fun whipping together a script to apply to servers to meet SOX audit recommendations. This particular task is to harden IP on all IIS 6.0 server per KB 324270.  I had been tasked with applying changes to IIS 6.0 servers working with others on a team. I volunteered to create the script to handle many of the registry changes required to meet the audit requirements (yeah, I am stupid that way…). They get the joy of testing and deploying the script in production.   My first step was … Continue reading Hardening IP for IIS Servers – Original Posted Apr 5, 2005

Yes, these are still a problem. In IIS 5.0, many organizations would perform an installation of IIS 5.0 and totally miss some pretty ugly potential vulnerabilities. The biggest of these include: Samples Help Files IIS Admin (HTML) Some common sense should tell us that we need to get rid of these potential vulnerabilities in IIS 5.0. However, many of us forget that some of these still exist in IIS 6.0. Samples are samples. Why in the world would you ever want these on a production server? Maybe development, but certainly not in production. The same is true of help files. … Continue reading IIS 6.0 Security – System Files, Management, Samples, and Help Files – Original Posted Mar 14, 2005

I am still working on the final bits of my IIS 6.0 Security presentation for TechMentor in April. One of the pieces that seems to have a great deal of conflicting information is what services are required by IIS 6. So, here goes: Required Services include: Event Log – My recommendation is to follow the suggested settings in the Threats and Countermeasures white paper in chapter 3. http://www.microsoft.com/technet/security/topics/serversecurity/tcg/tcgch00.mspx IIS Admin Service – Without the admin service, you can’t provide Web, FTP, SMTP, or NNTP services. HTTP SSL – Since I condone using SSL for all private communications involving customer data … Continue reading IIS Required Services – Original Posted Mar 14, 2005

Wow, there is a great deal of confusion on this subject. I asked a few people what they thought this topic is in their minds. I heard several differing views regarding what it means to secure IIS 6.0. So, what is it? Is it securing the server? Is it securing the service? Is it securing the application or site? I tend to lean towards the definition including securing the application or site more than anything else. The goal is to make sure the website and any applications available through the website is available to users. Now, that goal does include … Continue reading IIS 6.0 Security – Original Posted Jan 28, 2005