By
implementing one or more firewalls with either a screened subnet from one
firewall or a DMZ implemented between two firewalls using stateful inspection,
packet filtering and web/server publishing. Anything less is asking for a
major intrusion and compromise. NAT is not even close to 'good enough' in
this type of scenario.
Also -
the IIS server(s) MUST be on the screened subnet or the DMZ - never on the
internal networkif they are going to be accessed by untrusted systems. It
would also be highly suggested to review Microsoft/SANS/NSA guidelines for
secure operations in this type of environment. All three put out
substantial and important documents detailing the lockdown procedures for
Windows systems and secure communications from trusted to untrusted
zones.
Rick Kingslan MCSE, MCSA, MCT
Microsoft MVP - Active
Directory
Associate Expert
Expert Zone -
www.microsoft.com/windowsxp/expertzone
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mr Teo
Sent: Tuesday, November 05, 2002 3:26 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] IIS behind firewallHi alli am setting up a network under active directory. then my company is usingclass c private adress. however the company also have a nat whoch hide thenetwork from the public. so how do i allow for e.g. all my staffs to hosttheir IIS by using the firewall?__________________________________________________Do you Yahoo!?HotJobs - Search new jobs daily now;)
