We are thinking about putting up a server to do Exchange, FTP, and
WebDAV (web folders) for a project we will be doing for the next 3
months.  The FTP and WedDav will be handled by IIS.

We can ether use an existing server that has the latest Microsoft SBS
installed, or put together a fresh server with Windows 2000 server and
Exchange 2000.

We really want to avoid putting up a Unix (or linux) server for many
reasons.  Ease of use, excellent WebDAV support, and ability to host
Exchange Public Folders are the big ones.

The problem is that the idea of putting an IIS server out to the world
scares the shit out of me.   Every other day you hear about a new
vulnerability in IIS.  Every week you hear about how another big IIS
server got hacked into.   It seems like the most vulnerable platform
in the world.

We will need to have our people access this using all kinds of Macs
and PC from ever-changing and unpredictable locations, so tactics like
VPN and allowing access only from certain IP ranges are NOT
possibilities.

If we want, we can put it behind a Linksys firewall/router instead of
just having it on a static publicly-accessible IP number.  We have the
LinkSys model that has the VPN option.  It says it has stateful packet
inspection.



Here are my questions (#3 is the big one):

1- Do I really need to put it behind our Linksys router/firewall?  Is
the Linksys a poor (i.e. vulnerable) solution for a firewall?

2- Should I be worried?  Is IIS really much more venerable them other
FTP/Webdav servers?

3- What can I do to secure this server?  Can you point me to some
detailed steps?

4- If secured, then it is still much more venerable then a unix-based
server?

5- Is there a big disadvantage to using SMS vers W2K server?  We
already own SBS.

Hi there!  Before you start, you should know that securing a web
server- no matter if it is Windows or Unix- is a time-consuming job
that requires understanding of what is going on.

Microsoft IIS has had bad press for security issues over the last few
years.  The reason for this is that, by default, the server comes
configured in a relatively unsecured manner.  Many unnecessary
services and scripts are left available to the public.

So, to answer your questions:

1.  You should *always* run a webserver behind a firewall.  Your
webserver may be configured securly, but some other service on your PC
could compromise this security!  The Linksys consumer firewalls (which
it sounds like you have) are very popular for protected.  I personally
run one.  According to an IT manager I know, for *commercial*-level
routers and firewalls, they are generally lower-end in features (but
also in price).

Some Linksys consumer firewalsl recently had a security issue.  I
would recommend patching to the latest firmware for security purposes,
and disable remote administration.  See this link for more info:

http://associate.com/modules.php?op=modload&name=News&file=article&sid=964

2.  You shouldn't be worried if you are willing to invest the time in
securing a webserver.  IIS in general will be as secure as most other
webservers if configured properly.  Remember to keep up-to-date with
patches!  Microsoft has a security/patch auto-update feature available
in Windows Update now.

Running Apache (http://www.apache.org) under Windows 2000 might also
be a possibility- because there are fewer people running the
webserver, it is less likely to be vulnerable to a mass attack or
worm.  Plus, it gains from the security of its Unix version, without
having to run Linux.

3.  Microsoft has a guide to securing IIS 5.0:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/iis/deploy/depovg/securiis.asp

The Microsoft "Lockdown" tool is available as well, to ease setting up
security:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools/locktool.asp

Reading the article and running the tool should protect you against
the majority of attacks.  Ensuring that you are always up-to-date with
patches will protect you against even more!

4.  If secured properly, IIS is safe to run on the Internet.  Cracks
and hacks are most often targeted at unused, unknown services for IIS.
 If you're running the bare-minimum feature set you need, you are far
less likely to be hit.

5.  Small-business server is a far less tested package of software. 
While many of the components in SBS can be found in other products,
the configuration of these components is not as well-tested as the W2K
+ IIS5.0 combination.

Microsoft has a guide to securing SBS at:

http://support.microsoft.com/default.aspx?scid=kb;en-us;303323

*** NOTE: If you choose to run IIS, I highly recommend subscribing to
and monitoring closely Microsoft's e-mail security bulletin service
at:

http://microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/notify.asp

It's scary running a public webserver, but by taking the proper
precautions, you can ensure that your server will not be touched by a
curious party or fall prey to one of the worms that seems to be making
the rounds that particular day.  It's not something you can just set
up and leave running indefinately, but with a little vigilance, it's
easy to stay on top of things and ahead of the troublemakers!

Good luck!

1. The Linksys firewalls I've seen are very simple; great for home
users, completely inadequate for serious business use.
2. Your best bet might be to pay for a hosted webservice, so someone
else is responsible for security.
3. If you actually set up IIS yourself, be sure and use Microsoft's
"lockdown" tool. If you want to buy a real firewall, look at
Watchguard. http://www.watchguard.com/products/server.asp
4. Many of the vulnerabilities of IIS have come from rarely used
features that were enabled by default. Is a Ford more secure from
theft than a Chevy? Either way, if you want security, you've got to
install an alarm and lock your doors.