Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Internet-facing Windows Server OK?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Internet-facing Windows Server OK?

raindog308raindog308 Administrator, Veteran

A friend and I want to try out an idea which involves Windows Server + IIS. I was thinking to get a Windows Server VPS (hi @Francisco) but I've never admin'd WS.

I'm a pro for Linux admin and know the universal concepts (don't turn on services you don't need, check what's facing with nmap, etc.) but not specifically WS.

If I stand up WS 2012, only open 80/443, and patch it...how safe is that? Anything I should know?

I could stand up a Linux VPS and proxy the web over local network so the WS is completely unavailable to the Internet except for when I open up RDP, but I'm thinking that any attack against IIS will get passed through regardless.

Comments

  • ToggledNSToggledNS Member
    edited November 2015

    Well, it's okay, as long as you lock it down, make sure it's up to date, windows is a common attack target since a lot of people forget to ensure proper security is implemented. WS 2012, with IIS, just make sure IIS is up to date, if you use older versions there's some bugs, there's one I know of not patched in the latest IIS that is a instant BSOD (reported, awaiting patch).

    If you plan to RDP into it, force RDP onto another port, if you want you can throw a firewall in front of it, and whitelist IP's allowed to connect via RDP for extra security.

    Edit: and regardless to if you proxy the traffic, anyone who scan's for IP's can scan your RDP, brute force it if need.

    Thanked by 1raindog308
  • risharderisharde Patron Provider, Veteran
    edited November 2015

    I know a lot of people have windows systems facing the internet but I rarely ever trust it. It seems like just a guess in terms of when someone would find an exploit for it. With that being said, I have no evidence otherwise to suggest that it isn't a good idea. After all, I think most Exchange servers run on Server OS, which faces the internet.

    Thanked by 1raindog308
  • deadbeefdeadbeef Member
    edited November 2015

    how safe is that?

    Just make sure to keep it fully patched and use a firewall to restrict the ports to only what's needed to be facing the Internet. Tons of IIS servers out there and it's not 2000 any more, it's a mature product now. It used to have more holes than swiss cheese, but now it's not something that should worry you more than (say) Apache.

    I'm thinking that any attack against IIS will get passed through regardless

    Yes, a generic reverse proxy can't do anything if the end service has an exploitable problem, no matter what the service is.

    Thanked by 1raindog308
  • Hmm .. I guess throwing xampp on my windows server to run a few low traffic sites might not be the best idea then?

  • @boxelder said:
    Hmm .. I guess throwing xampp on my windows server to run a few low traffic sites might not be the best idea then?

    Probably the worst idea I've heard this month.

  • ATHKATHK Member
    edited November 2015

    If you're more comfortable with Linux use Nginx and reverse proxy to IIS, close all ports on WS except 80/443 and allow only the Nginx server access.

    Of course you'll want RDP at some point so opening that might be a good idea too...

  • mikhomikho Member, Host Rep

    Like any other server, removes or stop all services that aren't needed. Use a firewall and patch/update as soon as possible.

    To secure RDP you can install Duo Security https://www.duosecurity.com a 2-factor authentication system that works with the RDP protocol and more.

  • Configured properly it's plenty safe. ~30% of publicly-facing websites run on IIS -- second only (and not by much) to Apache.

Sign In or Register to comment.