|
Home > Archive > IIS Server Security > February 2007 > need security advice on new iis instalation
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
need security advice on new iis instalation
|
|
| ToddAndMargo@verizon.net 2007-02-04, 7:21 pm |
| Hi All,
I just got tasked to build an IIS server for entering
credit card orders for a company. The software is
commercial and says it need w2k3 and iis6. It does not
mention anything about security software. The order
software also has to be on the inside of the firewall,
as it has to share a directory from the main
database server.
So far, all I can figure is to have my firewall
send all incoming http and https SYN packets to the
order server. And, put firewall rules on the other
internal computers that disallow any traffic
from the order server.
I see the main server as being at risk as well : the order
server gets taken over and starts having its way with the
data on the shared drive with the main server, as well as
the order server.
I just do not like the feel of all this. How in the world do I
protect myself?
-T
| |
| Roger Abell [MVP] 2007-02-06, 1:31 am |
| It sounds as if you have so far been looking at the requirements
of the application, as they (mis)fit with your existing environment.
I would suggest that instead you start with the requirements that
the credit card processing will place on you, as being validated
for this will likely be more restrictive than what you have been
looking at for the application.
Roger
<ToddAndMargo@verizon.net> wrote in message
news:1170632160.216948.101120@j27g2000cwj.googlegroups.com...
> Hi All,
>
> I just got tasked to build an IIS server for entering
> credit card orders for a company. The software is
> commercial and says it need w2k3 and iis6. It does not
> mention anything about security software. The order
> software also has to be on the inside of the firewall,
> as it has to share a directory from the main
> database server.
>
> So far, all I can figure is to have my firewall
> send all incoming http and https SYN packets to the
> order server. And, put firewall rules on the other
> internal computers that disallow any traffic
> from the order server.
>
> I see the main server as being at risk as well : the order
> server gets taken over and starts having its way with the
> data on the shared drive with the main server, as well as
> the order server.
>
> I just do not like the feel of all this. How in the world do I
> protect myself?
>
> -T
>
|
|
|
|
|