RE: Using SUS on ISA Server

• From: "Amy Babinchak" <Amy@xxxxxxxxxxxxxxxxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Mon, 22 Sep 2003 17:31:13 -0400

No need to publish the server. All that it needs is the ability to access the 
Internet.

Amy 
 

-----Original Message-----
From: cismic [mailto:cismic@xxxxxxx] 
Sent: Monday, September 22, 2003 3:57 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Using SUS on ISA Server

http://www.ISAserver.org


Hello,

I think that it is wise to setup a simple 266 - 300 machine to receive
the updates and then
Distribute updates throughout your network from there.  You can publish
that server to just receive the updates
Making it even more secure.

Joseph

-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] 
Sent: Monday, September 22, 2003 11:18 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Using SUS on ISA Server


http://www.ISAserver.org


I don't know how "expert" I am; just empirical data gleaned from my own
IIS and SUS experiences. I haven't installed SUS on IIS6, so I can't
speak to what it does there...

 Jim Harrison
 MCP(NT4, W2K), A+, Network+, PCG  http://www.microsoft.com/isaserver
 http://isaserver.org/Jim_Harrison
 http://isatools.org

 Read the help, books and articles!
----- Original Message ----- 
From: "Gabriel O. Zabal" <gabriel@xxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Monday, September 22, 2003 10:06
Subject: [isalist] RE: Using SUS on ISA Server


http://www.ISAserver.org


Of course, the hardening of IIS and SUS is not the topic.
But you mention that SUS is binded to the first w3svc# that finds. What
happen on IIS6 (Windows2003) that names the sites using some strange
numbers. First I though that was just to show but exploring with the
IIS6 Metabase explorer it stores the conf about each site using that
numbers. Wich number will pick SUS ??, the less number ??? Thanks again,
always is desirable an MSFT expert opinion.

Gabriel Zabal
gabriel@xxxxxxxxxx


-----Mensaje original-----
De: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Enviado el: lunes, 22 de septiembre de 2003 18:43
Para: [ISAserver.org Discussion List]
Asunto: [isalist] RE: Using SUS on ISA Server

http://www.ISAserver.org


Yes, that is the original topic, but one of the kewl things about a
discussion list is that the initial topic tends to morph into other,
more global issues, like has happened with this thread.

If all you have is a single SBS server, then of course, have little
choice in the matter. If you have the licenses available to you, then
separating ISA from your network services should be the first of many
"growth" plans.  That's the real core of my suggestion; not necessarily
that SUS itself should be separated. Removing the default web site is
recommended for (as you pointed out)  those who are not IIS-expert and
are looking for some generally-applicable guidelines. The disadvantage
to this action is that SUS doesn't choose the "default" web site, it
chooses the first web site found on the server. Thus, if you remove the
default site, SUS will install in the next-created site (they're
numbered as "w2svc/#" according to creation order), which could easily
be your Exchange site. Needless to say, this is less-than-optimal.

 Jim Harrison
 MCP(NT4, W2K), A+, Network+, PCG  http://www.microsoft.com/isaserver
 http://isaserver.org/Jim_Harrison
 http://isatools.org

 Read the help, books and articles!
----- Original Message ----- 
From: "Gabriel O. Zabal" <gabriel@xxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Monday, September 22, 2003 09:17
Subject: [isalist] RE: Using SUS on ISA Server


http://www.ISAserver.org


Ok, but the topic start "Using SUS on ISA Server", so that is what we
are discussing here. Another thing, I`m not an IIS-extreme-expert, I
just follow the general guidelines. And I try to make the best with
every case. And I think that this should be discussed because most of
the SBS administrator around don`t have "another server" to make the
most secure enviroment. So, acording to your sugestion, their should be
excluded from using SUS.

About the default web site issue. OK, it`s no me. Don´t take my word. I
just give an opinion taken from my experience and my read. This is for
global knowledge improvement. Please share with us your points about
this. Here are some URL taking about this.

http://www.windowswebsolutions.com/Articles/Index.cfm?ArticleID=22968


http://asia.cnet.com/itmanager/tech/0,39006407,39146646,00.htm


[3. Remove the default Web site: Many attackers target the inetpub
folder to drop in little goodies that can bring your server to a
screeching halt. One way to prevent this attack is to disable the
default Web site that installs with IIS. Then, as surfers try to access
your Web site by IP address (as one address in a list of tons of IPs
they are hitting in a day), the request will die. Point your true Web
site to a folder on a back partition, with secure NTFS permissions (more
on NTFS later).]


http://216.239.59.104/search?q=cache:Wt_OSK03t9UJ:www.sans.org/rr/papers
/65/304.pdf+disable+default+web+site+iis&hl=es&ie=UTF-8

[The idea of "Best Practice" would advise that the "Default W eb Site"
be deleted and a new one created before deploying the site.]


Thanks
Gabriel Zabal
gabriel@xxxxxxxxxx


-----Mensaje original-----
De: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Enviado el: lunes, 22 de septiembre de 2003 17:55
Para: [ISAserver.org Discussion List]
Asunto: [isalist] RE: Using SUS on ISA Server

http://www.ISAserver.org


Sorry, I must respectfully, vehemently disagree.
Placing IIS on any firewall (ISA or otherwise) is the least secure
option. Using the default website isn't insecure in and of itself, it's
how well that web site has been cleared of the default vroots and
settings.

 Jim Harrison
 MCP(NT4, W2K), A+, Network+, PCG  http://www.microsoft.com/isaserver
 http://isaserver.org/Jim_Harrison
 http://isatools.org

 Read the help, books and articles!
----- Original Message ----- 
From: "Gabriel O. Zabal" <gabriel@xxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Monday, September 22, 2003 08:47
Subject: [isalist] RE: Using SUS on ISA Server


http://www.ISAserver.org


I saw that by default SUS is installed on the default web site,
something that is not likely secure. I didn't try to make it work a non
default web site. The best would be IIS on ISAServer, binded to the
Internal IP address of the ISA, and also installed on a specific
directory and using a new website that uses a host-header name. If that
could be done it will be great.

Gabriel Zabal
gabriel@xxxxxxxxxx


-----Mensaje original-----
De: Amy Babinchak [mailto:Amy@xxxxxxxxxxxxxxxxxxxxxxxxxx]
Enviado el: lunes, 22 de septiembre de 2003 17:35
Para: [ISAserver.org Discussion List]
Asunto: [isalist] RE: Using SUS on ISA Server

http://www.ISAserver.org


The SUS installation also installs urlscan and sets up IIS only on the
internal IP by default. But still if you have another machine I'd use
it. The more things that are on your firewall the more likely it is that
a security issue can be overlooked.

Amy


-----Original Message-----
From: Bill Kuhn - MCSE [mailto:bkuhn@xxxxxxxxxxxxx]
Sent: Monday, September 22, 2003 11:29 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Using SUS on ISA Server

http://www.ISAserver.org


My thought was to enable IIS only on the internal IP. Is that still a
bad move?

-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Monday, September 22, 2003 9:44 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Using SUS on ISA Server


http://www.ISAserver.org


That would mean adding IIS to the ISA.
If you already have it, then it won't add any more weakness.
If you don't, then choose another server.

 Jim Harrison
 MCP(NT4, W2K), A+, Network+, PCG  http://www.microsoft.com/isaserver
 http://isaserver.org/Jim_Harrison
 http://isatools.org

 Read the help, books and articles!

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
amy@xxxxxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gabriel@xxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')


^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*

All mail from this domain is virus-scanned with RAV.
www.ravantivirus.com

^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gabriel@xxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')


^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*

All mail from this domain is virus-scanned with RAV.
www.ravantivirus.com

^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gabriel@xxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')


^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*

All mail from this domain is virus-scanned with RAV.
www.ravantivirus.com

^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
cismic@xxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » Using SUS on ISA Server
• » RE: Using SUS on ISA Server
• » RE: Using SUS on ISA Server
• » RE: Using SUS on ISA Server
• » RE: Using SUS on ISA Server
• » RE: Using SUS on ISA Server
• » RE: Using SUS on ISA Server
• » RE: Using SUS on ISA Server
• » RE: Using SUS on ISA Server
• » RE: Using SUS on ISA Server
• » RE: Using SUS on ISA Server
• » RE: Using SUS on ISA Server
• » RE: Using SUS on ISA Server
• » RE: Using SUS on ISA Server
• » RE: Using SUS on ISA Server
• » RE: Using SUS on ISA Server
• » RE: Using SUS on ISA Server
• » RE: Using SUS on ISA Server
• » RE: Using SUS on ISA Server
• » RE: Using SUS on ISA Server
• » RE: Using SUS on ISA Server
• » RE: Using SUS on ISA Server
• » RE: Using SUS on ISA Server
• » RE: Using SUS on ISA Server
• » RE: Using SUS on ISA Server
• » RE: Using SUS on ISA Server
• » RE: Using SUS on ISA Server
• » RE: Using SUS on ISA Server
• » RE: Using SUS on ISA Server
• » RE: Using SUS on ISA Server
• » RE: Using SUS on ISA Server
• » RE: Using SUS on ISA Server
• » RE: Using SUS on ISA Server
• » RE: Using SUS on ISA Server
• » RE: Using SUS on ISA Server

1. Home
2. isalist
3. Archive
4. 09-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---