quote:

---

> David Wang on 12/03/03 in this forum gave an excellent blueprint on

---

quote:

---

> IIS 6.0 in Windows 2003 Small Business Server (SBS). He, and others, said

---

quote:

---

> is a bad idea to idea to host Public Web Sites on SBS.
>
> So my question is: What would be the network
> configuration/settings/blueprint for having the Public Web Sites on

---

quote:

---

> computer (with Web Server 2003 separate license)? The Sites need to be
> updated/maintained by some client workstation of SBS.
>
> Robert Waite
>
>

---

quote:

---

> I'm not exactly sure what you're asking, since you're answering it in your
> post as well.
>
> So you'd have:
> SBS (which is also a DC) and your internal Exchange/SPS site running on

---

quote:

---

> computer, then your Windows Server 2003 machine(s) joined as members to

---

quote:

---

> SBS domain, and you don't need any extra CALs, because the SBS CALs cover
> the whole SBS domain
>
> --
> --Jonathan Maltz [Microsoft MVP - Windows Server]
> http://www.visualwin.com - A Windows Server 2003 visual, step-by-step
> tutorial site :-)
> Only reply by newsgroup. Any emails I have not authorized are deleted
> before I see them.
>
>
> "Robert Waite" <bob2dev@tampabay.rr.com> wrote in message
> news:Op1IFWsvDHA.2712@TK2MSFTNGP11.phx.gbl...
> securing
said[QUOTE][color=darkred]
> it
> another
>
>

---

quote:

---

>David Wang on 12/03/03 in this forum gave an excellent blueprint on securing
>IIS 6.0 in Windows 2003 Small Business Server (SBS). He, and others, said it
>is a bad idea to idea to host Public Web Sites on SBS.
>
>So my question is: What would be the network
>configuration/settings/blueprint for having the Public Web Sites on another
>computer (with Web Server 2003 separate license)? The Sites need to be
>updated/maintained by some client workstation of SBS.
>
>Robert Waite
>

---

quote:

---

> On Tue, 9 Dec 2003 21:31:39 -0500, "Robert Waite"
> <bob2dev@tampabay.rr.com> wrote:
>
securing[QUOTE][color=darkred]
it[QUOTE][color=darkred]
another[QUOTE][color=darkred]
>
> Robert,
>
> If you must host a public-facing web site on your network then don't
> make the IIS server a member of your domain. That way if the server
> does get compromised you limit the privilege that any attacker might
> gain.
>
> However, this is still a less than ideal situation. Ideally, you
> should either implement a DMZ or if you aren't confident with that
> then look into using a co-located hosting solution. There are some
> quite cheap co-lo deals out there.
>
> There's some very useful security information here :
> www.securityadmin.info
>
>
> Regards,
>
> Paul Lynch
> MCSE

---

quote:

---

>Thanks.
>
>If the IIS Server is a standalone Workgroup (not domain member) with an NIC
>connection
>to an SBS CLIENT (with two NICs), then (with right ID/password), then I can
>connect from
>that client to IIS for updates? In other words, can a Domain member connect
>to a Wrokgroup member?
>I can even disable the 2nd NIC on the CLIENT when not updating.
>
>How well would this configuration work with TWO dedicate IPs assigned by my
>ISP.
>
>1. www.MyCompany.com points to Dedicated_IP_Address1 which connects to SBS
>(thru a Linksys firewall for a little extra protection) with SBS locked down
>for just approved company access as suggested by many here.
>
>2. www.PublicWeb.com points to Dedicated_IP_Address2 which connects to Web
>Server 2003 thru Sonicwall SOHO firewall (automatically blocks Denial of
>Service attacks such as Ping of Death, SYN Flood, LAND Attack
>and IP Spoofing, etc). [This has worked well for a year.]
>
>3. Web Server 2003 has a second internal NIC connecting to SBS so the Web
>Site can be updated.
>
>4. SBS rules/features/etc are used to limit what can be done from Web Server
>2003 on the SBS Domain.
>
>Thanks again!
>Robert

---

quote:

---

> On Wed, 10 Dec 2003 13:35:13 -0500, "Robert Waite"
> <bob2dev@tampabay.rr.com> wrote:
>
NIC[QUOTE][color=darkred]
can[QUOTE][color=darkred]
connect[QUOTE][color=darkred]
my[QUOTE][color=darkred]
SBS[QUOTE][color=darkred]
down[QUOTE][color=darkred]
Web[QUOTE][color=darkred]
Web[QUOTE][color=darkred]
Server[QUOTE][color=darkred]
>
>
> Hi Robert,
>
> Yes, you could update the content on the standalone web server using
> FTP. Just create a local user account and point that user's home ftp
> folder at the root of the web content folders and you're set. Don't
> forget to disallow anonymous ftp though.
>
> For maximum security you could even consider removing the second
> internal NIC from the www.PublicWeb.com server and just connect to it
> via the internet when you want to update its content.
>
> I would also consider moving the www.mycompany.com site and IP address
> to the standalone box - unless of course you are using it for OWA.
>
>
>
>
> Regards,
>
> Paul Lynch
> MCSE

---

quote:

---

> Would not Web Server being on the internal side of SBS firewall be a
> security breach?
> What is the network topology for the Web Server to connect to the internet
> and SBS domain?
>
> I don't fully understand the practicalities of setting up a DMZ and,
> everytime I read about it,
> I see 4-5 options in topologies.
>
> Thanks,
> Robert
>
> "Jonathan Maltz [MS-MVP]" <jmaltz@mvps.org> wrote in message
> news:uor6brtvDHA.2448@TK2MSFTNGP12.phx.gbl...
your[QUOTE][color=darkred]
> that
> the
cover[QUOTE][color=darkred]
> said
be[QUOTE][color=darkred]
>
>

---