Hosting security

M

Monkey

At present we host our own web servers in a hosting centre. The web servers
are on a workgroup with a Cisco firewall between them and the back-end
database servers (SQL). Obivously only the database ports are open on this
firewall.

We are in the process of changing all our equipment and I was just wondering
if anyone had any opinions on 'best practise' for this sort of environment?

From an admin sort of view, it would be easier if all on same domain and
SCOM would work better that way but this would open up our SQL servers to
possible attack.

Thanks
 
S

S. Pidgorny

The firewall between the Web server and the database server in Web hosting
scenario doesn't add much security but adds cost. In every attack scenario
that doesn't involve the hosting company staff, the first step for
compromising your environment is to compromise the Web server, at which
stage the mission is pretty much accomplished. The firewall doesn't protect
from SQL injection either.

Microsoft's guidance for Web hosting can be found at
http://www.microsoft.com/serviceproviders/solutions/windowsserverhostingguidance.mspx.
As you can see (http://learn.iis.net/page.aspx/118/sample-architecture-i/),
there are no firewalls.

And yes, using single domain is a good idea, and firewalls separating parts
of the domain is not.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"Monkey" <Monkey@discussions.microsoft.com> wrote in message
news:16124C2C-000F-4EAA-8BEA-9148464D3CF8@microsoft.com...
> At present we host our own web servers in a hosting centre. The web
> servers
> are on a workgroup with a Cisco firewall between them and the back-end
> database servers (SQL). Obivously only the database ports are open on this
> firewall.
>
> We are in the process of changing all our equipment and I was just
> wondering
> if anyone had any opinions on 'best practise' for this sort of
> environment?
>
> From an admin sort of view, it would be easier if all on same domain and
> SCOM would work better that way but this would open up our SQL servers to
> possible attack.
>
> Thanks
 
You must log in or register to reply here.

Similar threads

J
Windows Server 2019 Inaccessible after subnet mask growth
Replies
0
Views
65
Jared Holston
J
R
Windows Server 2025 Secured-core Server
Replies
0
Views
54
RoySasabe
R
S
Regarding URLs and ports needed to be opened on firewall for windows update online
Replies
0
Views
21
Syed Abdur Rahman N
S
P
Top 5 Reasons to Attend Azure Hybrid, Multicloud, and Edge Day on June 15
Replies
0
Views
81
PatWidjaja
P
J
The Future of Windows Server Hyper-V is Bright!
Replies
0
Views
105
Jeff Woolsey
J
Back
Top Bottom