have they done this before?

If not they could well come unstuck and it may well be you that has to fix it when it goes wrong.

Hosting is cheap and can be outsourced giving you some leway when/if it goes wrong.

I would put a disclaimer on your side saying that you recommend getting someone who's job it is to do this, to do this.

I have a big toolbox in my house, when the car breaks down or needs servicing I dont get my toolbox out. I get a man that knows. :). I can put up shelves and drill holes though.

Hi chaosAD..
You will need to explain in short words to "client" that they are contemplating becoming what is known as "hacker food"....and that securing the stuff they have on their own server will cost more than 2 or 3 years of rented secured space elsewhere...Show them a few sites ( together with their prices of companies who do security of this type ..ealaddin etc ....this should bring them back to the real world in a hurry ....) ...
Oh yeah ..and don't accept their cigarettes when you are discussing this ..otherwise you'll get the same wonderfull ideas they have ...
Oh yeah and while we are here isn't the week that "sasser" is playing with "doze" a very silly week to be "rolling your own"..?

<edited by me twice ...crappy spelling on foreign keyboard>

I was on a plane journey the other day sitting next to a guy who was a security consultant for MAJOR companies, ever since he stopped working full time as a security consultant for a major brand bought out by AOL. I asked him what was the biggest security hole that people tended to do.

He said it was running web servers on machines connected to the company systems. (ie in their DMZ).

Horse's mouth. This guy was getting paid to fly around the world to tell people things like this.

So - if they want to do it, I think you are quite within your rights to say "OK - just give me the FTP codes when you have set it up, or would you like the files for you to publish yourself?"

There is no shame in saying "if you want it on your own server, you need to do that yourself".

The requirements that they will need to have will vary slightly based upon how important the website is to their business. But here is a basic list of what they will need. If they already have some of this in place, bear in mind that the website will increase the load on those resources:

- A seperate server or servers for the webiste. DON'T host it on a file server already used for the local network! Besides the glaring security issues, its just a bad idea from a performance stand-point.

- A full-time IT staff with someone on site or on call 24/7. If they don't have dedicated IT staff, the costs of having someone come in to do 15 minute, but VERY critical tasks will eat them alive.

- That staff needs to have real-world experience in firewall setup, operation, and monitoring. That includes the basics of a DMZ as well as the finer points of intrusion detection.

- A willingness to stay current on all patches that apply (that includes the routers).

- A dedicated line with more band-width than they have now. (If they already have the bandwidth they need for current business use, then they will need more for the website) Most cable, dsl, or isdn setups will cost more if you want to run a webserver over them. T1 and fractional T1s cost several hundred per month (varies widely by phone company).

- A willingness to occassionally be off-line because the internet connection is dead. Or a willingness to run in redundant connections from different sources.

- If this includes bringing the SMTP email handling in-house, then they will need to deal with all of the spam filtering issues.

All in all, unless the business already warrants a significant network operation with secure and fault-tolerant connections to the outside world, you really are better off paying $10 to $50 a month to someone that has all of that in place.

Another thought comes to mind ...
When this thread gets to 20 or so postings ( which won't take long ) ....print it and show it to them ..
If they don't beleive that we do know why they shouldn't do this then ...walk away ....as soon &as they've paid you for work done to date ...
( or some day in the future they may try to sue you for professional negligence when some script kiddie takes their server away from them ...with maybe their bank account attached )......
The reasons why not to do what they want could make this the longest thread ever at WebmasterWorld...and we haven't really started yet ...!
PS ..if you do show them this thread ...I 'll not be offended if you edit my comments out ...
PPS ..if one of my customers ever suggested going the same route I'd spend lots of time looking up ( to make sure no one else fell out of their tree on me )...

by doing this,I suppose that they think they are saving money or gaining control. Every little problem will be a drain of resources (which is much worse than just spending the money). The very first glitch will more than wipe out any savings. The next one should cure them of wanting control (responsibility). Unless, as ukgimp asked, "Have they done this before.". That would be different.

I've never attempted anything like this before

necessary steps i'll have to take to get the server up and running and the site online?

In addition to agreeing with all of the "this is a bad idea" posts, my question would be Why do they think it's YOUR job to do this for them all of a sudden? If it's not your area of expertise, politely tell them. Receptional is spot on.

Down the road, you may want to discuss hosting plans with clients before you do a site for them. Might help avoid surprises like this. Good luck!

Dear God, no.

Just thought I'd add my tuppence worth. Everyone is right - and security would be the biggest issue (not because it's a Windows server, but because evidently no-one knows what they're doing). Why do they want to do it?

Thanks for your advice guys, much appreciated, I'll be giving the client a call tomorrow and STRONGLY advising against the idea...its one of those ideas that sounds good in theory but the reality is riddled with hassle and extra costs. It was a network engineer who set-up their LAN who said it'd be my job to get it configured apparently and as this is my first time working commercially I didn't want to rubbish it straight away, cheers again.
Mark.

I used to do a little networking, getting IIS secure is extremely difficult, I don't know about 2003, but windows 2000 server is radically difficult to get running in an even halfway secure mode, you have to go in and change almost all of the default ms settings, and that's assuming the box was setup correctly in the first place, which is extremely unlikely given that their networking guy thinks it's your job to set up their network.

I spent about 2 solid weeks researching windows iis server security, and finally concluded that it was not possible to get a standard office network secure on windows products. Like the other posters say, pay a top end hoster 15-50 a month, use a freeBSD hoster if you can, they tend to have the best uptime and stats according to netcraft anyway.

windows iis server security, = OXYMORON.........

the "Lan guy" thinks it's "your job" ....
Well ...as "wellington" used to say ( ukgimp will know this one )..my "flabber has rarely been so ghasted"..! ..

If he ( the "Lan guy" )thinks he can set up a "doze" server in any flavour "secure" then he's a fool...

If he says he has done one and would like some of us to "test" it for "hardness" ....wont break it ..just "shmooze" it a bit...
Be he owns an itsy bitsy ipod too...soooo cute the lil ones!
good all purpose hack tool too ...

never let one in your machine room guys ; ))

Your customer let their workers install their own stuff on the machines ..walk about with "floppies from home" in their pockets , play their own CD's in the office?....
Other stuff that is very very bead for your security
oh yeah and digital cameras too ...
and usb plug in memory sticks ...
and re-written dongles...
and mobile phones ...

The list goes ever on ....I won't frighten you with it...
5 biggest growth industries ...in IT

#1 writing code in Redmond
#2 fixing holes in code written in Redmond
#3 exploiting holes still in place after #2
#4 security companies cleaning up after #1 to #3
#5 hackerz laughing at #1 to #4

BSD would be nice running elsewhere ..then again if they want to go the traditional route so would "case hardened" apache ...without msql,php and all the other "doors" ...all uneeded ports locked and welded shut ...nice big hardware pare feu ..followed by another one ...different brand just in case the first ones manufacturer had some labour dispute they didn't publicise .....

there are listz all over the hackwurldz ..of places like they want you to set up ...where 10 yr old system crashers cut their teeth and leave "I OWN YOU" tags all over the nice "doze" servers that "Lan guys" call secure....

And you personally don't do security ( me ..I don't often do mornings )...I don't think there is a specific forum here for it ...
Some of us know some stuff about different weakneses and so on ...Baked jake is where you might ask about penguins in secure boxes ....

But everyone will tell you ...dont do security for the first time on a "doze" box ....it will end in tears ....rapidly...

( I normally charge for an "consultative rant" like that ...here in WebmasterWorld it's given away ..like many others in #4 ..and ex #3 )... ; ))

A few simple tests: go to windows server. Open windows explorer. Is there a data drive/partition as well as the os drive? If not, it's unlikely anything else was done right.

Check drive security permissions. Does the 'everyone' group still have full rights? Probably yes. If so, the network admin is totally incompetent, and could never get an even half secure IIS installation going.

Do you log on to the server in administrator mode using the user name 'administrator'. If so, it's unlikely anything else has been done right.

You can add to the list, but the odds of even one of the above having been done right are so low given that the network admin would actually ask someone else to mess his system up that's it's not worth going on.

Follow Leosghost advice, leave security to security experts, and don't use windows servers.

Leosghost: very funny post, thanks, I needed a laugh, after the first probes against the installation I tried, which started I think about 1 week after I had the IIS server up, and which I had turned activity logging on in, I knew that there were a lot of people out there who are much better at getting in than I was at keeping them out just itching for me to keep that IIS installation up. I also knew that I would never see the log entries of those who were better at getting in than the failed attempts who were logged.

isitreal..merci beaucoup mon ami..c'est tres gentil de ta part..

as we get older we do not become less curious ...
we have kids who would miss us if we were in jail ......
so we become security consultants ......

grtz fly out.....~~ )

I am an MCSE and my last place of employment was a hosting company.

Everyone here is right that the costs associated with security, glitches, upkeep, reliable bandwidth, etc. do not justify this unless it is a really huge operation.

Unless they get an EXCEPTIONAL ISP, their T1 will be one of the smallest accounts and will be a low priority. The hosting company for which I worked had that problem for years before it found a better ISP -- and we were probably doing 10-20 times what this company is planning -- even if their site stays very busy. We would call about a T1 outage and the customer service would offer to bring us cell phones to last out the outage. No joke.

Their LAN guy probably thinks securing IIS is just a matter of keeping patches up to date. He couldn't me more wrong. Security is something one must plan in every application. You really must approach everything on the system with the idea, what vulnerabilities does this create? How could a hacker use this?

Oh, and a server on the LAN? As a web server? You need no further evidence of ignorance of the issues involved.

LeosGhost: always worthwhile to see how people more interested in what they can do to something by breaking or bending rules think than to read drab posts by people who spend all their time wondering how they can better follow the rules... your google stuff too, very good, you're asking interesting questions, and making very reasonable connections, that stuff was getting obvious to me about 6 months ago, but I couldn't explain it as well so I refrained, people in that forum tend to get offended if you suggest google might be a business like any other...

to cross link, do this:

(url=full_url)here(/url)

replace ( and ) with [ and ], no quotes on url.

isitreal

thanks :

for how to cross link here ...

(when you consider "disassembly 'n' all I should have known how to do this ...but the help files on wdasm are not to hot on "posting styles"....usually leaving your name is considered "bad form" 'n' stoopid ..where I came from! )......

and for making "eyes" at me .... : )

~~while we're "off topic~~

do we have a security issues forum here at WebmasterWorld ...?

or do we just "exploit" the activeX or the javascript fora ...( sorry ..just slipped out ..couldn't help it! : ))..

Best stop... before I get into the "why does" XP have rounded corners?..."witicisms"....which are unsuitable for "family viewing" fora ....

sticky you later ....

do we have a security issues forum here at WebmasterWorld

There should be a security forum here, obviously, websites run on servers, ergo security problems. The MS forum is where they throw most of that when it does come up.

I think most security types go elsewhere, I don't remember ever coming across WebmasterWorld stuff when I was doing networking security searches, usually a few of the other big ones, experts exchange, the futility of technet error id searches, can't remember the others, problem is that (especially) windows networking just doesn't tend to attract the top people as a rule, with some exceptions, when I sat in my MCSE classes I would always marvel at the students, average was a nice guy, somebody who maybe would have been fixing toasters 40 years ago, compared very poorly with Linux/Unix types, who would be bragging about having 10 os's installed on their home pc's, wondering how to get in deeper to the guts.

Might have something to do with wanting to work with cookbook/cookie cutter solutions... open window x, click tab y, click 'properties', select option z... that's how all the mcse books are, almost nothing about the actual os beyond some vaguely generic system architecture stuff.

Doesn't help either that ms keeps trying to dumb it down: here's a secret, straight from the vaults: ms did a survey of IT managers, around 1998 or so, asked what was their biggest complaint: answer: the networking geeks who ran their systems. Solution: dumb it down so much you can plug and play your networking staff. Outcome: well, you know what the outcome is.

Personally, I like it that neither asp, windows, .net, iis or any other ms thing, are considered worthy of having their own forums, it's a nice not so subtle disrespect of the topics.

Just my .02... If they really want to host it, by all means let them. It isn't your job to setup their webserver. They all learn in time. LOL

....tend to get offended if you suggest google might be a business like any other....

Kind of like folks in the US who think banks are public institutions REQUIRED to help them with their money problems, as opposed to being just like any other corp: only in business FOR the business of making money and keeping the stockholders happy....

And apropos the discussion itself: having now for 2 years watched a very nice, very bright nerd paint himself into a "we run our own server and it's COMPLETELY secure" corner, I can truthfully say that (due to a series of DOS attacks in the past month) home-grown and run servers are NOTHING for a small company to mess with. For one thing, a small company can't afford an IT guy who has enough security background to be useful. For another, a small company can't afford the LOSS OF BUSINESS that will occur WHEN (not IF!) their practically non-existent security is breached.

Everyone here seems to have nailed the points about what a big @#$ing misstake it is to "host your own", especially in the face of how cheap it is to pay a hosting company.

Most importantly, clients are going to come back to you when the mess occurs to clean it up. You also run the risk of being blamed for not informing the client of the dangers of do-it-yourself hosting. So, for your sake and the client's, avoid hosting.