----- Original Message ----- From: "Erick Thompson" <[EMAIL PROTECTED]> Sent: Wednesday, April 10, 2002 3:29 PM Subject: Re: OT: IIS Security or Smoking crack?
> If your server is on a non public network, then IIS or not, it's as secure > as anything on your LAN. I suppose you could get an employee cracking IIS to > get to something, but I doubt that would happen (they would be easily > caught). More to the point, if there is something on the IIS server that is > important to keep safe, why would you put it into a less secure area? I am in favour of being rigorous about securing the IIS dev servers such that they are in a zone with no outbound connections possible, inbound over port 90 only, and with an arrowpoint or similar in front. If that is what you final configuration is going to be. You need to make sure your code works in such a config, ops need to get used to managing it, and you need practice getting deployment. But from a security perspective they are being over paranoid, and that is a worry because if they are strict in that way, they will be strict in others. Before long you wont have admin rights, or be able to run a debugger on the box, then they will take your login entirely. Get your retaliation in early and argue your case now, because they will only press for more -steve You can read messages from the DOTNET archive, unsubscribe from DOTNET, or subscribe to other DevelopMentor lists at http://discuss.develop.com.
