Hello,
I have posted this on the IIS forums as well, but I'm interested in input as it affects the server as well:
I'm fairly knowledgeable about setting up Windows servers, workstations, etc. I'm not well versed in the security side of the process. I know the basics: do updates, up-to-date protection, change passwords, etc. I generally stay away from IIS, and I've been asked to do something that is raising the shackles on the back of my neck. Basically, we have a Windows Server 2008 R2 with IIS on it running a medical practice software. The software company wants me to open port 443 directly to our primary/only application/file/data server. The company assures me that this is "safe" and that no one else has had any problems. My experience with IIS is that when working for gov’t agency, an IIS server was used to penetrate the network and completely subvert it. Luckily, this was a white-hat group that had been hired to check the security, but still, this is my experience with IIS and my gut tells me that I should recommend against this. So I've got a couple of questions:
1) Is this a good/bad idea on a small office server with no IDS system, the stock Verizon FIOS router/firewall, and no regular monitoring?
2) Is there a way to mitigate the risks that would be reasonable for a small office with no onsite tech support?
3) Verizon tells me that putting their Actiontec device into bridge mode is "not supported," so this means I cannot implement a better firewall such as a Cisco, Sonicwall, etc. To be fair, I've done this at home with a Cisco small business router and it works fine. Any comments on this? Reasons to put it in bridging mode, to not put it in bridging mode, personal experience with it?
4) If this is just a REALLY BAD IDEA, please give me specifics. The implementer told me that this is completely safe, they've never had any complaints, it’s the same way they implement it on their cloud service, etc. I explained that we have a basic firewall, no IDS, and no regular monitoring, but his only response was that if we don't want to use the system we don't have to.
Sorry if these are simple questions, but I don't setup, configure, or secure IIS. I'm not sure if I'm being overly nervous, if they are being stupidly optimistic, or somewhere in between.
Thanks,
Jeffery Smith