I want to set up IIS on an old XP box that I have on our our LAN at work so that I can host some Silverlight stuff on it that I am plying with so I show it to others on the internet. I have a public IP set up already that shoots straight through my firewall and straight to that machine, and I sometimes use Remote Desktop to log into that machine and do some misc work when I am at home. It has drive letters mapped to data folders on the server, but no data is directly on that machine. I do not want to expose my entire network to risks that I do not understand. So, will it be safe if I let people surf to the public IP address to hit that machine with their web browser?
+1
A:
No. If that machine becomes compromised, they have the keys to the kingdom, so to speak. You should set up a DMZ between it and the rest of your network. You should have a separate machine that is available via VPN for RDC.
jeffamaphone
2009-03-09 02:36:28
+5
A:
So, will it be safe if I let people surf to the public IP address to hit that machine with their web browser?
You always increase your risk level by allowing access to trusted resources, so "safe" is a relative term. In this case, you are taking a possibly dangerous level of risk by hosting this at the same location where you would like to conduct secure transactions (e.g. logging into your bank account).
That said, you can take some high-value, low-cost protective measures:
- Since you're behind a router, your router can do double duty and act as a firewall. Make sure that only the appropriate ports are open.
- Make sure that the applications you run do so with a minimum of privileges. If at all possible, run these applications inside of a virtual machine, and use that as the web server.
- Secure access to the applications you serve; allow only trusted users.
- Make the public-facing area of the site minimal.
- Keep the application in a completely different file root than everything else.
John Feminella
2009-03-09 02:38:58
+1
A:
I would not do this for three reasons:
- As Jeff said, your possibly handing out the keys to the kingdom
- You don't want attention drawn to your network unless you have the ability to mitigate a decent sized DoS attack. You never know when the content you host is going to tick off someone else resulting in this. That means, your whole network could (in theory) be cut off from the outside world.
- Even if a compromise is contained to the DMZ, you run the risk of having that server sending out SPAM all over the world. You do NOT want the pain of getting that IP out of a DNSBL while outgoing company mail goes to a black hole.
Its just too cheap to pay for hosting or co-location of a small server somewhere else.
EDIT:
Added reason #3
Tim Post
2009-03-09 02:40:02
A:
As long as you keep in mind that you are giving outsiders access to a machine that is connected to your internal network, and keep the machine up to date you will be "safe".
Personally I would suggest getting outside hosting thereby keeping your own network safer, and letting the hosting provider worry about updating software, keeping out attackers and maintaining the network. It does not cost much, and will relieve much of the headache you would have to otherwise deal with.
X-Istence
2009-03-09 03:20:35
+1
A:
IIS 5.1 is limited to 10 simultaneous connections, and most browsers open 2 or more connections to download images and other page elements.
IIS 5.1 and XP opens up a lot of stuff by default. Go through and turn off all unnecessary features in IIS and all unnecessary, network-facing services in XP.
George V. Reilly
2009-03-09 06:56:48