Ask the Expert

Securing IIS 5.0 in a DMZ

I have installed IIS 5.0 with SP2, and I implemented ROOT CA as stand alone authority and placed it in a DMZ. Is my server secure?


    Requires Free Membership to View

With the limited amount of information this will be difficult to answer.

Using IIS 5.0 and not 4.0 is good. CA stand alone is even better. Since I don't know if you have secured or hardened the device per recommended standards, I'm uncertain. You could do these two things and not effectively harden the device and all your work would be useless.

I'm uncertain of your DMZ architecture, as well. Are you using RFC 1918 and NAT? Have you audited your firewall rules and stopped all unwanted external traffic before it reaches the DMZ? Are you properly filtering traffic, logging and auditing those logs? Are your firewall rules at both the external and internal points in the DMZ valid, logged and audited?

Since the security issue with Microsoft is a moving target at best, there are many assumptions I would need to make prior to coming close to answering your question. Off the cuff, I would say no, you are not secure simply because of the man hours it now takes to maintain any Microsoft system. Information security demands all devices be secure, not just the Web/app server. If your network parameter is lacking security, yet you have done all these wonderful things to IIS 5.0 you are still highly vulnerable. If you have a valid parameter and your infrastructure is still secure just, maybe there is a chance you are in fact secure.

Security as related to Microsoft products will continue to be a moving target due to the open nature of the products. Although MS has just stepped up to the plate and said they would release products in secure mode, not un-secure as in the past, only time will tell the fate of this lip service.

I've danced around your issue only because of the lack of information. I'm not saying anything new here concerning any Microsoft product. As with any device, security is related to the whole infrastructure, not simply one device.


For more information on this topic, visit these other SearchSecurity.com resources:
Best Web Links: Securing Microsoft platforms and products
Careers and Certification Tip: No Microsoft security cert, now what?
Security Policies Tip: Keep on top of security patches for Microsoft products


This was first published in March 2002

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: