Looking for feedback on public website security config

  • Thread starter Thread starter driley
  • Start date Start date
D

driley

In my work environment we have a vendor provided solution running on our
internal network. The solution is in its own domain and there are no trust
relationships to our domain.

The vendor has a web application that they want to publish on the internet
for a limited number of users. The web application uses IIS and is installed
on their domain controller, which also hosts their application. Some of our
confidential customer information is stored on this system.

The vendor is trying to tell us that all we need to do to make this system
secure is to install an SSL certificate and open up 80 and 443 on the
firewall. The system sits inside our network and is not in a DMZ or otherwise
isolated from other internal systems.

The domain controller is not hardened in any way and is running IIS and SQL.
Basically they want to make a domain controller into a web server and they
are saying that an SSL certificate will make this a secure solution.

Someone tell me if I am wrong in thinking that this sound like a bad idea.
 
I probably should not reply as you ask for someone to tell
you they think you are wrong in seeing this as a bad idea.

Although it can be done safely many of us (MVP types)
will immediately say that a DC should be a DC only, that
it should not run an application server (ie. IIS).

Let's assume that your network config is without mistake
and so only tcp 80/443 could route to the box from outside,
and further let us assume that you have the ability to config
the machine with all of the OS level hardening best practices
(which is not trivial with a DC). Even with those you are
still placing (by what you have said) your entire internal
network at risk due to the potential for exploit of their web
application and its use of SQL. From what I heard, that
application level exposure is not within your ability to
control, so you would be saying that you trust their quality
as that could be all that protects your internal network.

Can you configure their machine so that it is isolated
rather than able to contact other internal machines?

Roger


"driley" <driley@discussions.microsoft.com> wrote in message
news:B8346983-9A1C-481C-A834-7F31BF9E5A83@microsoft.com...
> In my work environment we have a vendor provided solution running on our
> internal network. The solution is in its own domain and there are no trust
> relationships to our domain.
>
> The vendor has a web application that they want to publish on the internet
> for a limited number of users. The web application uses IIS and is
> installed
> on their domain controller, which also hosts their application. Some of
> our
> confidential customer information is stored on this system.
>
> The vendor is trying to tell us that all we need to do to make this system
> secure is to install an SSL certificate and open up 80 and 443 on the
> firewall. The system sits inside our network and is not in a DMZ or
> otherwise
> isolated from other internal systems.
>
> The domain controller is not hardened in any way and is running IIS and
> SQL.
> Basically they want to make a domain controller into a web server and they
> are saying that an SSL certificate will make this a secure solution.
>
> Someone tell me if I am wrong in thinking that this sound like a bad idea.
>
 
We can isolate this machine and it is one of the steps that I am recommending.

The vendor supports the solution entirely, so it is unlikely that we will
perform any hardening of the DC, IIS, SQL etc.

"Roger Abell [MVP]" wrote:

> I probably should not reply as you ask for someone to tell
> you they think you are wrong in seeing this as a bad idea.
>
> Although it can be done safely many of us (MVP types)
> will immediately say that a DC should be a DC only, that
> it should not run an application server (ie. IIS).
>
> Let's assume that your network config is without mistake
> and so only tcp 80/443 could route to the box from outside,
> and further let us assume that you have the ability to config
> the machine with all of the OS level hardening best practices
> (which is not trivial with a DC). Even with those you are
> still placing (by what you have said) your entire internal
> network at risk due to the potential for exploit of their web
> application and its use of SQL. From what I heard, that
> application level exposure is not within your ability to
> control, so you would be saying that you trust their quality
> as that could be all that protects your internal network.
>
> Can you configure their machine so that it is isolated
> rather than able to contact other internal machines?
>
> Roger
>
>
> "driley" <driley@discussions.microsoft.com> wrote in message
> news:B8346983-9A1C-481C-A834-7F31BF9E5A83@microsoft.com...
> > In my work environment we have a vendor provided solution running on our
> > internal network. The solution is in its own domain and there are no trust
> > relationships to our domain.
> >
> > The vendor has a web application that they want to publish on the internet
> > for a limited number of users. The web application uses IIS and is
> > installed
> > on their domain controller, which also hosts their application. Some of
> > our
> > confidential customer information is stored on this system.
> >
> > The vendor is trying to tell us that all we need to do to make this system
> > secure is to install an SSL certificate and open up 80 and 443 on the
> > firewall. The system sits inside our network and is not in a DMZ or
> > otherwise
> > isolated from other internal systems.
> >
> > The domain controller is not hardened in any way and is running IIS and
> > SQL.
> > Basically they want to make a domain controller into a web server and they
> > are saying that an SSL certificate will make this a secure solution.
> >
> > Someone tell me if I am wrong in thinking that this sound like a bad idea.
> >
>
>
>
 
"driley" wrote:

> We can isolate this machine and it is one of the steps that I am recommending.

That would be acceptable, though DMZ woudl be better.

Basically, agree with Roger on this one.

Might also add that there are two aspects to 'security' here. SSL and
certificates provide security for the Web user. The do nothing to protect
your other computers from attack should a vulnerability in the webserver be
exploited to gain control of it.

A key piece of protection here is to ensure that the account SIDs and
passwords which the webserver processes run under are different from any
domain useraccounts, or at least any with file-share rights. That way, the
webserver -even if compromised- cannot easily gain access to domain
file-shares.
 
Since the web server is a domain controller, there is no way to make local
accounts for IIS to run under. Unless you know of a way.

Thanks for the feedback.

"Anteaus" wrote:

> "driley" wrote:
>
> > We can isolate this machine and it is one of the steps that I am recommending.
>
> That would be acceptable, though DMZ woudl be better.
>
> Basically, agree with Roger on this one.
>
> Might also add that there are two aspects to 'security' here. SSL and
> certificates provide security for the Web user. The do nothing to protect
> your other computers from attack should a vulnerability in the webserver be
> exploited to gain control of it.
>
> A key piece of protection here is to ensure that the account SIDs and
> passwords which the webserver processes run under are different from any
> domain useraccounts, or at least any with file-share rights. That way, the
> webserver -even if compromised- cannot easily gain access to domain
> file-shares.
>
>
 
Back
Top