Welcome to WebmasterWorld Guest from 220.127.116.11
I've recently finished building a site for a company and after much debate the client has decided to host the site on their network file server (a Windows based server). I've never attempted anything like this before and am somewhat stumped. The servers already running IIS, so its likely that'll be the web server software that'll be used....can anybody give me some advice on the neccessary steps i'll have to take to get the server up and running and the site online? Any help much appreciated.
If not they could well come unstuck and it may well be you that has to fix it when it goes wrong.
Hosting is cheap and can be outsourced giving you some leway when/if it goes wrong.
I would put a disclaimer on your side saying that you recommend getting someone who's job it is to do this, to do this.
I have a big toolbox in my house, when the car breaks down or needs servicing I dont get my toolbox out. I get a man that knows. :). I can put up shelves and drill holes though.
<edited by me twice ...crappy spelling on foreign keyboard>
He said it was running web servers on machines connected to the company systems. (ie in their DMZ).
Horse's mouth. This guy was getting paid to fly around the world to tell people things like this.
So - if they want to do it, I think you are quite within your rights to say "OK - just give me the FTP codes when you have set it up, or would you like the files for you to publish yourself?"
There is no shame in saying "if you want it on your own server, you need to do that yourself".
- A seperate server or servers for the webiste. DON'T host it on a file server already used for the local network! Besides the glaring security issues, its just a bad idea from a performance stand-point.
- A full-time IT staff with someone on site or on call 24/7. If they don't have dedicated IT staff, the costs of having someone come in to do 15 minute, but VERY critical tasks will eat them alive.
- That staff needs to have real-world experience in firewall setup, operation, and monitoring. That includes the basics of a DMZ as well as the finer points of intrusion detection.
- A willingness to stay current on all patches that apply (that includes the routers).
- A dedicated line with more band-width than they have now. (If they already have the bandwidth they need for current business use, then they will need more for the website) Most cable, dsl, or isdn setups will cost more if you want to run a webserver over them. T1 and fractional T1s cost several hundred per month (varies widely by phone company).
- A willingness to occassionally be off-line because the internet connection is dead. Or a willingness to run in redundant connections from different sources.
- If this includes bringing the SMTP email handling in-house, then they will need to deal with all of the spam filtering issues.
All in all, unless the business already warrants a significant network operation with secure and fault-tolerant connections to the outside world, you really are better off paying $10 to $50 a month to someone that has all of that in place.
I've never attempted anything like this before
necessary steps i'll have to take to get the server up and running and the site online?
In addition to agreeing with all of the "this is a bad idea" posts, my question would be Why do they think it's YOUR job to do this for them all of a sudden? If it's not your area of expertise, politely tell them. Receptional is spot on.
Down the road, you may want to discuss hosting plans with clients before you do a site for them. Might help avoid surprises like this. Good luck!
I spent about 2 solid weeks researching windows iis server security, and finally concluded that it was not possible to get a standard office network secure on windows products. Like the other posters say, pay a top end hoster 15-50 a month, use a freeBSD hoster if you can, they tend to have the best uptime and stats according to netcraft anyway.
the "Lan guy" thinks it's "your job" ....
Well ...as "wellington" used to say ( ukgimp will know this one )..my "flabber has rarely been so ghasted"..! ..
If he ( the "Lan guy" )thinks he can set up a "doze" server in any flavour "secure" then he's a fool...
If he says he has done one and would like some of us to "test" it for "hardness" ....wont break it ..just "shmooze" it a bit...
Be he owns an itsy bitsy ipod too...soooo cute the lil ones!
good all purpose hack tool too ...
never let one in your machine room guys ; ))
Your customer let their workers install their own stuff on the machines ..walk about with "floppies from home" in their pockets , play their own CD's in the office?....
Other stuff that is very very bead for your security
oh yeah and digital cameras too ...
and usb plug in memory sticks ...
and re-written dongles...
and mobile phones ...
The list goes ever on ....I won't frighten you with it...
5 biggest growth industries ...in IT
#1 writing code in Redmond
#2 fixing holes in code written in Redmond
#3 exploiting holes still in place after #2
#4 security companies cleaning up after #1 to #3
#5 hackerz laughing at #1 to #4
BSD would be nice running elsewhere ..then again if they want to go the traditional route so would "case hardened" apache ...without msql,php and all the other "doors" ...all uneeded ports locked and welded shut ...nice big hardware pare feu ..followed by another one ...different brand just in case the first ones manufacturer had some labour dispute they didn't publicise .....
there are listz all over the hackwurldz ..of places like they want you to set up ...where 10 yr old system crashers cut their teeth and leave "I OWN YOU" tags all over the nice "doze" servers that "Lan guys" call secure....
And you personally don't do security ( me ..I don't often do mornings )...I don't think there is a specific forum here for it ...
Some of us know some stuff about different weakneses and so on ...Baked jake is where you might ask about penguins in secure boxes ....
But everyone will tell you ...dont do security for the first time on a "doze" box ....it will end in tears ....rapidly...
( I normally charge for an "consultative rant" like that ...here in WebmasterWorld it's given away ..like many others in #4 ..and ex #3 )... ; ))
Check drive security permissions. Does the 'everyone' group still have full rights? Probably yes. If so, the network admin is totally incompetent, and could never get an even half secure IIS installation going.
Do you log on to the server in administrator mode using the user name 'administrator'. If so, it's unlikely anything else has been done right.
You can add to the list, but the odds of even one of the above having been done right are so low given that the network admin would actually ask someone else to mess his system up that's it's not worth going on.
Follow Leosghost advice, leave security to security experts, and don't use windows servers.
Leosghost: very funny post, thanks, I needed a laugh, after the first probes against the installation I tried, which started I think about 1 week after I had the IIS server up, and which I had turned activity logging on in, I knew that there were a lot of people out there who are much better at getting in than I was at keeping them out just itching for me to keep that IIS installation up. I also knew that I would never see the log entries of those who were better at getting in than the failed attempts who were logged.
Everyone here is right that the costs associated with security, glitches, upkeep, reliable bandwidth, etc. do not justify this unless it is a really huge operation.
Unless they get an EXCEPTIONAL ISP, their T1 will be one of the smallest accounts and will be a low priority. The hosting company for which I worked had that problem for years before it found a better ISP -- and we were probably doing 10-20 times what this company is planning -- even if their site stays very busy. We would call about a T1 outage and the customer service would offer to bring us cell phones to last out the outage. No joke.
Their LAN guy probably thinks securing IIS is just a matter of keeping patches up to date. He couldn't me more wrong. Security is something one must plan in every application. You really must approach everything on the system with the idea, what vulnerabilities does this create? How could a hacker use this?
Oh, and a server on the LAN? As a web server? You need no further evidence of ignorance of the issues involved.
to cross link, do this:
replace ( and ) with [ and ], no quotes on url.
for how to cross link here ...
(when you consider "disassembly 'n' all I should have known how to do this ...but the help files on wdasm are not to hot on "posting styles"....usually leaving your name is considered "bad form" 'n' stoopid ..where I came from! )......
and for making "eyes" at me .... : )
~~while we're "off topic~~
do we have a security issues forum here at WebmasterWorld ...?
Best stop... before I get into the "why does" XP have rounded corners?..."witicisms"....which are unsuitable for "family viewing" fora ....
sticky you later ....
do we have a security issues forum here at WebmasterWorld
There should be a security forum here, obviously, websites run on servers, ergo security problems. The MS forum is where they throw most of that when it does come up.
I think most security types go elsewhere, I don't remember ever coming across WebmasterWorld stuff when I was doing networking security searches, usually a few of the other big ones, experts exchange, the futility of technet error id searches, can't remember the others, problem is that (especially) windows networking just doesn't tend to attract the top people as a rule, with some exceptions, when I sat in my MCSE classes I would always marvel at the students, average was a nice guy, somebody who maybe would have been fixing toasters 40 years ago, compared very poorly with Linux/Unix types, who would be bragging about having 10 os's installed on their home pc's, wondering how to get in deeper to the guts.
Might have something to do with wanting to work with cookbook/cookie cutter solutions... open window x, click tab y, click 'properties', select option z... that's how all the mcse books are, almost nothing about the actual os beyond some vaguely generic system architecture stuff.
Doesn't help either that ms keeps trying to dumb it down: here's a secret, straight from the vaults: ms did a survey of IT managers, around 1998 or so, asked what was their biggest complaint: answer: the networking geeks who ran their systems. Solution: dumb it down so much you can plug and play your networking staff. Outcome: well, you know what the outcome is.
Personally, I like it that neither asp, windows, .net, iis or any other ms thing, are considered worthy of having their own forums, it's a nice not so subtle disrespect of the topics.
....tend to get offended if you suggest google might be a business like any other....
Kind of like folks in the US who think banks are public institutions REQUIRED to help them with their money problems, as opposed to being just like any other corp: only in business FOR the business of making money and keeping the stockholders happy....
And apropos the discussion itself: having now for 2 years watched a very nice, very bright nerd paint himself into a "we run our own server and it's COMPLETELY secure" corner, I can truthfully say that (due to a series of DOS attacks in the past month) home-grown and run servers are NOTHING for a small company to mess with. For one thing, a small company can't afford an IT guy who has enough security background to be useful. For another, a small company can't afford the LOSS OF BUSINESS that will occur WHEN (not IF!) their practically non-existent security is breached.
Most importantly, clients are going to come back to you when the mess occurs to clean it up. You also run the risk of being blamed for not informing the client of the dangers of do-it-yourself hosting. So, for your sake and the client's, avoid hosting.