RE: mitigating the lack of a firewall

["Starkey, Kyle" <Kyle.Starkey () msdw com>]

Danger Will Robinson.... Warning! Danger!
OK so it isn't that bad, but I would be frightened putting an NT IIS server
out on the internet standing alone.  This type of a machine, while it can be
locked down is still pretty vulnerable to stack attacks due to the weak
stack the MS threw together as an after thought.  If you are going to put
this box out on the interent all by itself and it was only serving static
content then I would say this might be OK, but at least block inbound ports
with some router ACL's to give you that warm cozy feeling.  If this box is
serving up dynamic content that requires you to reach into the enterprise
and get some data from your internal DB server, then NO, you should
definately put it behind a firewall (and ACL's just to be safe).  At the
very least Bruce turn off the netbios connections on all interfaces so that
some one doesn't walk into your box and suck out the SAM (passwords kept
here).  Also run a vulnerability scanner (ISS, Cybercop, etc.) against it to
make sure you haven't missed anything, rememeber to not load the sample
files on IIS.  I think also Lance Spitzner wrote a paper on armoring NT,
check out http://www.enteract.com/~lspitz/pubs.html there should be
something there that is in PLAIN english that can help you.

just my paranoid .02
-Kyle
Information Security
MSDW Online

-----Original Message-----
From: Bruce H. Nearon [mailto:bhn () simlab net]
Sent: Saturday, February 12, 2000 8:03 AM
To: firewall-wizards () nfr net
Subject: mitigating the lack of a firewall


Suppose an Internet site does not have a firewall.  Can a securely
configured IIS 4.0 server running under securely configured NT 4.0
protect the site from unauthorized access and denial of service attacks?

Bruce Nearon, CPA
The Cohn Consulting Group
Roseland, New jersey