0

I need to setup a Windows2008 Server R2 incl. SQL Server and IIS. The server is as far as I know directly connected to the internet.

My question is, is Windows 2008 R2 Server secure enough for this usage? Are there any known security risks?

Will the windows firewall be enough to secure the server? What precautions do I have to take?

Thanks in advance

cheers

nWorx
  • 113
  • 7
  • You asking for opinions here, which is not a good fit for the SE model. Please re-phrase to allow an objective answer. – Richard Nov 25 '11 at 09:02
  • why opinions? either it is secure or not? or do i mistake something? – nWorx Nov 25 '11 at 09:05
  • 1
    Anything in security is a trade off, there are no absolutes. – Richard Nov 25 '11 at 10:59
  • If your running application is insecure you can do nothing against that on the OS, DB or AS-level. – Nils Nov 25 '11 at 22:16
  • Sorry this is so very opinion oriented. Define "secure enough" in a way to make secure not an opinion. Additionaly windwos firewall is just 1 component of windows security (or linux security for that matter) so regardless if the firewall is secure enough, you still haven't asked or adressed windows security. – Jim B Nov 25 '11 at 22:35

4 Answers4

1

In general - yes. SQL Server is trickier as it's a tried attack vector, so you get tons of login failures. Either fully protect it or move port.

I would:

  • Use the firewall to lock as many incoming ports as possible, only leave open what I need for work - IIS, RDP and PPTP
  • PPTP into the server normally for maintenance work
  • RDP for emergency
Ben Pilbrow
  • 12,041
  • 5
  • 36
  • 57
TomTom
  • 51,649
  • 7
  • 54
  • 136
  • hi thanks for your response. as i don't need the sql server to be reachable from the internet (just for local use) i can block these ports. thanks also for the tip with pptp * pptp, i've never heard of it before... – nWorx Nov 25 '11 at 09:38
1

Remember that you can filter incoming ports so that they only respond to a particular IP - so you can filter, say, inbound RDP so that it only responds to the IP of your office.

This is not an ideal situation and I wouldn't put in anything really sensitive like this - a router + firewall + server firewall is better. However I have had to manage systems like this and didn't see any real problems. Oddly I saw less attack attempts on these than I did on clients with residential level DSL lines.

Ian Murphy
  • 1,349
  • 4
  • 19
  • 30
1

You can use the Microsoft new Security Configuration Wizard which will create a security policy which you can apply on the server.

The Security Configuration Wizard (SCW) guides you through the process of creating, editing, applying, or rolling back a security policy. It provides an easy way to create or modify a security policy for your server based on its role. You can then use Group Policy to apply the security policy to multiple target servers that perform the same role. You can also use SCW to roll back a policy to its prior configuration for recovery purposes. With SCW, you can compare a server's security settings with a desired security policy to check for vulnerable configurations in the system.

See more info here: http://technet.microsoft.com/en-us/library/cc771492(WS.10).aspx

Spirit
  • 1,154
  • 8
  • 25
  • 45
  • cool thanks... unfortunately the sever is not in our domain.. it's an external provider/hoster – nWorx Nov 25 '11 at 12:19
  • hopefully you have console access to the server via something like iLO - otherwise you risk locking yourself out while applying filters to the fw. – Ian Murphy Nov 29 '11 at 12:58
-3

No. I would never ever put a W2K-server directly onto the internet. IIS has many security problems and windows always has some, too.

This is also true for most Linux systems. Only (Open)BSD is better when it comes down to a good OS with regards to security holes.

At work we use a big WAF (web application firewall) in the front of our web-servers. This WAF analyzes incoming traffic and disallows unusual or malicious incoming requests. The WAF knows about security holes some days before the CERT goes into public.

Nils
  • 7,695
  • 3
  • 34
  • 73