Hosting security

M

Monkey

Guest
At present we host our own web servers in a hosting centre. The web servers

are on a workgroup with a Cisco firewall between them and the back-end

database servers (SQL). Obivously only the database ports are open on this

firewall.

We are in the process of changing all our equipment and I was just wondering

if anyone had any opinions on 'best practise' for this sort of environment?

From an admin sort of view, it would be easier if all on same domain and

SCOM would work better that way but this would open up our SQL servers to

possible attack.

Thanks

 
S

S. Pidgorny

Guest
The firewall between the Web server and the database server in Web hosting

scenario doesn't add much security but adds cost. In every attack scenario

that doesn't involve the hosting company staff, the first step for

compromising your environment is to compromise the Web server, at which

stage the mission is pretty much accomplished. The firewall doesn't protect

from SQL injection either.

Microsoft's guidance for Web hosting can be found at

http://www.microsoft.com/serviceproviders/...ngguidance.mspx.

As you can see (http://learn.iis.net/page.aspx/118/sample-architecture-i/),

there are no firewalls.

And yes, using single domain is a good idea, and firewalls separating parts

of the domain is not.

--

Svyatoslav Pidgorny, MS MVP - Security, MCSE

-= F1 is the key =-

http://sl.mvps.org http://msmvps.com/blogs/sp

"Monkey" <Monkey@discussions.microsoft.com> wrote in message

news:16124C2C-000F-4EAA-8BEA-9148464D3CF8@microsoft.com...<span style="color:blue">

> At present we host our own web servers in a hosting centre. The web

> servers

> are on a workgroup with a Cisco firewall between them and the back-end

> database servers (SQL). Obivously only the database ports are open on this

> firewall.

>

> We are in the process of changing all our equipment and I was just

> wondering

> if anyone had any opinions on 'best practise' for this sort of

> environment?

>

> From an admin sort of view, it would be easier if all on same domain and

> SCOM would work better that way but this would open up our SQL servers to

> possible attack.

>

> Thanks </span>

 
You must log in or register to reply here.
Top Bottom