Hosting security

  • Thread starter Thread starter Monkey
  • Start date Start date
M

Monkey

At present we host our own web servers in a hosting centre. The web servers
are on a workgroup with a Cisco firewall between them and the back-end
database servers (SQL). Obivously only the database ports are open on this
firewall.

We are in the process of changing all our equipment and I was just wondering
if anyone had any opinions on 'best practise' for this sort of environment?

From an admin sort of view, it would be easier if all on same domain and
SCOM would work better that way but this would open up our SQL servers to
possible attack.

Thanks
 
The firewall between the Web server and the database server in Web hosting
scenario doesn't add much security but adds cost. In every attack scenario
that doesn't involve the hosting company staff, the first step for
compromising your environment is to compromise the Web server, at which
stage the mission is pretty much accomplished. The firewall doesn't protect
from SQL injection either.

Microsoft's guidance for Web hosting can be found at
http://www.microsoft.com/serviceproviders/...ngguidance.mspx.
As you can see (http://learn.iis.net/page.aspx/118/sample-architecture-i/),
there are no firewalls.

And yes, using single domain is a good idea, and firewalls separating parts
of the domain is not.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"Monkey" wrote in message
news:16124C2C-000F-4EAA-8BEA-9148464D3CF8@microsoft.com...
> At present we host our own web servers in a hosting centre. The web
> servers
> are on a workgroup with a Cisco firewall between them and the back-end
> database servers (SQL). Obivously only the database ports are open on this
> firewall.
>
> We are in the process of changing all our equipment and I was just
> wondering
> if anyone had any opinions on 'best practise' for this sort of
> environment?
>
> From an admin sort of view, it would be easier if all on same domain and
> SCOM would work better that way but this would open up our SQL servers to
> possible attack.
>
> Thanks
 
Back
Top