RE: Using SUS on ISA Server
- From: "Gabriel O. Zabal" <gabriel@xxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 22 Sep 2003 18:17:31 +0200
Ok, but the topic start "Using SUS on ISA Server", so that is what we are
discussing here.
Another thing, I`m not an IIS-extreme-expert, I just follow the general
guidelines.
And I try to make the best with every case.
And I think that this should be discussed because most of the SBS administrator
around don`t have "another server" to make the most secure enviroment. So,
acording to your sugestion, their should be excluded from using SUS.
About the default web site issue. OK, it`s no me. Don´t take my word.
I just give an opinion taken from my experience and my read.
This is for global knowledge improvement.
Please share with us your points about this.
Here are some URL taking about this.
http://www.windowswebsolutions.com/Articles/Index.cfm?ArticleID=22968
http://asia.cnet.com/itmanager/tech/0,39006407,39146646,00.htm
[3. Remove the default Web site: Many attackers target the inetpub folder to
drop in little goodies that can bring your server to a screeching halt. One way
to prevent this attack is to disable the default Web site that installs with
IIS. Then, as surfers try to access your Web site by IP address (as one address
in a list of tons of IPs they are hitting in a day), the request will die.
Point your true Web site to a folder on a back partition, with secure NTFS
permissions (more on NTFS later).]
http://216.239.59.104/search?q=cache:Wt_OSK03t9UJ:www.sans.org/rr/papers/65/304.pdf+disable+default+web+site+iis&hl=es&ie=UTF-8
[The idea of "Best Practice" would advise that the "Default W eb Site" be
deleted and a new one created before deploying the site.]
Thanks
Gabriel Zabal
gabriel@xxxxxxxxxx
-----Mensaje original-----
De: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Enviado el: lunes, 22 de septiembre de 2003 17:55
Para: [ISAserver.org Discussion List]
Asunto: [isalist] RE: Using SUS on ISA Server
http://www.ISAserver.org
Sorry, I must respectfully, vehemently disagree.
Placing IIS on any firewall (ISA or otherwise) is the least secure option.
Using the default website isn't insecure in and of itself, it's how well
that web site has been cleared of the default vroots and settings.
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://www.microsoft.com/isaserver
http://isaserver.org/Jim_Harrison
http://isatools.org
Read the help, books and articles!
----- Original Message -----
From: "Gabriel O. Zabal" <gabriel@xxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Monday, September 22, 2003 08:47
Subject: [isalist] RE: Using SUS on ISA Server
http://www.ISAserver.org
I saw that by default SUS is installed on the default web site,
something that is not likely secure.
I didn't try to make it work a non default web site.
The best would be IIS on ISAServer, binded to the Internal IP address of
the ISA, and also installed on a specific directory and using a new
website that uses a host-header name.
If that could be done it will be great.
Gabriel Zabal
gabriel@xxxxxxxxxx
-----Mensaje original-----
De: Amy Babinchak [mailto:Amy@xxxxxxxxxxxxxxxxxxxxxxxxxx]
Enviado el: lunes, 22 de septiembre de 2003 17:35
Para: [ISAserver.org Discussion List]
Asunto: [isalist] RE: Using SUS on ISA Server
http://www.ISAserver.org
The SUS installation also installs urlscan and sets up IIS only on the
internal IP by default. But still if you have another machine I'd use
it. The more things that are on your firewall the more likely it is that
a security issue can be overlooked.
Amy
-----Original Message-----
From: Bill Kuhn - MCSE [mailto:bkuhn@xxxxxxxxxxxxx]
Sent: Monday, September 22, 2003 11:29 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Using SUS on ISA Server
http://www.ISAserver.org
My thought was to enable IIS only on the internal IP. Is that still a
bad move?
-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Monday, September 22, 2003 9:44 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Using SUS on ISA Server
http://www.ISAserver.org
That would mean adding IIS to the ISA.
If you already have it, then it won't add any more weakness.
If you don't, then choose another server.
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://www.microsoft.com/isaserver
http://isaserver.org/Jim_Harrison
http://isatools.org
Read the help, books and articles!
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gabriel@xxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*
All mail from this domain is virus-scanned with RAV.
www.ravantivirus.com
^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gabriel@xxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
