Block outsiders from accessing port 80.

[Guest]

Hello al

I have installed IIS 5.1 and I want to block everybody that does not belong to my domain to access my web sites. Unfortunately the organization I am working for does not have a central firewall solution so I am almost completely exposed. I have installed all latest updates and I am using Symantec Antivirus Corporate Edition 8.1.

To block everybody from outside I stopped Anonymous Access to my web sites (IIS default site properties->Directory Security-> Clear check-box Anonymous access) and I checked only Integrated Windows authentication.

I watch the IIS log everyday and I see foreign addresses trying to access my port 80 in bizarre ways e.g.
- 80 HEAD /MSADC/root.exe /c+dir+c:\ 401 5 194 130 0 HTTP/1.
- 80 HEAD /_vti_bin/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe /c+dir+c:\ 40
- 80 SEARCH / ± ± ± ±  (many or them) - 401 5 4644 67022 78 HTTP/1.

I hope that as long as these requests get a 401 answer they are blocked. Still I am very worried about this and I don’t know how to stop this situation.

I am quite new at this and my Internet Connection Firewall is not enabled because I access a lot of things on my file servers and I don’t want that to be stopped

Could somebody help me with this?

Thank you all for your time

PS: could you please suggest links for reading about controlling ports on XP Pr

 

[Lanwench [MVP - Exchange]]

Hello all

I have installed IIS 5.1 and I want to block everybody that does not
belong to my domain to access my web sites. Unfortunately the
organization I am working for does not have a central firewall
solution

Any reaspon why not? This seems pretty silly to me, especially as hardware
firewall appliances have gotten so cheap. I'd say your webserver access
issues are only part of the potential problems this network could have....my
first advice would be, have them put in a firewall, ASAP.

so I am almost completely exposed. I have installed all
latest updates and I am using Symantec Antivirus Corporate Edition
8.1.

To block everybody from outside I stopped Anonymous Access to my web
sites (IIS default site properties->Directory Security-> Clear
check-box Anonymous access) and I checked only Integrated Windows
authentication.

I watch the IIS log everyday and I see foreign addresses trying to
access my port 80 in bizarre ways e.g.:
- 80 HEAD /MSADC/root.exe /c+dir+c:\ 401 5 194 130 0 HTTP/1.0
- 80 HEAD
/_vti_bin/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe
/c+dir+c:\ 401
- 80 SEARCH / ± ± ± ± (many or them) - 401 5 4644 67022 78
HTTP/1.1

I hope that as long as these requests get a 401 answer they are
blocked. Still I am very worried about this and I don't know how to
stop this situation.

I am quite new at this and my Internet Connection Firewall is not
enabled because I access a lot of things on my file servers and I
don't want that to be stopped.

Good - the ICF isn't meant to be used on a LAN connection.

Could somebody help me with this?

I realize I haven't addressed the specifics, but honestly, the first step
has to be putting in a firewall to protect your network at the perimeter.

 

[Guest]

Dear Lanwenc

Thank you very much for your advice but we do not have the budget right now (small department of academic institution) for a central firewall solution. I am thinking of implementing a solution somebody proposed: 1 PC, 2 network cards and Linux, but as I told you I am quite new at this... and I am only one person for everything

So I really need to lockdown IIS, I saw an article on how to secure your Developer Workstation (MBSA, IISLockdown, URLScan) but I was wondering if there is a way to cut foreign IPs through XP pro

Thank you again for your time and help.

 

[Opti_mystic]

Bonset,

These days a good hardware firewall is less than $100, and
some are available for as little as $40. Not having a
firewall is going to cause you more problems than foreign
users trying to access your www server.

I would re-read Lanwench's advice and see if $100 or $40
isn't cheaper than a PC with two NIC's. Even for a small
academic department, this shouldn't be out of reach. The
other tools you mentioned (MBSA, IISLockdown, URLScan) are
all good steps, but without a firewall you are just
standing there with your finger in the dyke.

HTH. Good luck

Opti_mystic_69

-----Original Message-----
Dear Lanwench

Thank you very much for your advice but we do not have

the budget right now (small department of academic
institution) for a central firewall solution. I am
thinking of implementing a solution somebody proposed: 1
PC, 2 network cards and Linux, but as I told you I am
quite new at this... and I am only one person for
everything.

So I really need to lockdown IIS, I saw an article on how

to secure your Developer Workstation (MBSA, IISLockdown,
URLScan) but I was wondering if there is a way to cut
foreign IPs through XP pro.

 

[Lanwench [MVP - Exchange]]

Netgear FR114p = $80USD. It's worth it. Don't scrimp here.

 

[Guest]

Thank you both for your suggestions. I understand how crucial this is... and you are right. I'll change my priorities

Thank you again for your time and effort.

 

[Steve Riley [MSFT]]

Hang on, hope you'll still read this thread.

Help me understand the situation better. In your original post you said you
"want to block everybody that does not belong to my domain to access my web
sites." Is this server exposed to the Internet? Or is it accessible only
from an internal network?

Putting a firewall in front of the computer isn't necessarily the correct
thing to do, but it's practially impossible to give you good advice without
understanding better what your network is like, where the server is located
network-wise, and so on. Can you supply some more details?

 

[Guest]

Hello Steve,

Sorry for not answering sooner but I entered the forum again just today.

So, the situation is quite simple, I have this workstation (XP Pro SP1) with its IIS that is exposed to the Internet as every other workstation in my LAN (static IPs and some coverage from a "well configured rooter" that is out in my reach).

I want to lock down port 80 so that users outside my domain will not be able reach my IIS at all (as if it was behind a firewall solution).

I have already blocked anonymous access as I described in my original message, and it seems it is working… still I see some very annoying hits in the IIS log from people trying to access system files (see my original message).

Hope you are going to see this!

Thank you in advance for your time.