Forum Moderators: open
My structure is this:
Drive D is RAID 10, and replicated off-site to another identical server.
Site means the dns name of the site, www.example.com. Need this as some clients will have more than 1.
Web root folders will be here:
D:\Web\Client\Site
D:\Web\Reseller\Client\Site
I want clients and resellers to have FTP, private and public optional, so that adds
D:\Web\Client\FTP
D:\Web\Reseller\Client\FTP
D:\Web\Reseller\FTP
For the public FTP anyways, the private will just be their 'root' folder.
Additionally, Resellers need access to all client data - apart from their FTP, that would be a security risk. I need the security to be solid as clients will have the ability to upload and execute server side scripts. And of course, IUSR will need access to everything.
Incidentally, not that it should make any difference for this, I'm running W2K SBS Server.
Thoughts/suggestions?
[edited by: Dabrowski at 12:59 pm (utc) on June 1, 2007]
Use baseline analyser regularly to make sure any default shares and accounts are properly locked down. Make sure to re-run it after you install any backup/recovery solutions or new hardware as they open up ports and create new windows accounts.
If you are allowing that much FTP access you want to have a statefull firewall, not just a router type hardware firewall.
You want to start with the risks, like do you think any of your sites likely to be hacked, are they business critical apps, whats the impact of unathorised access etc.
At the moment I am just hosting a couple of my support clients, small, static sites, not many hits. So no, at the moment, they're not targets.
Although according to my Event Viewer, someone has been trying to guess my admin password on the FTP. Not worried about that, all they'll get is a folder with a message informing them that they are not of a hetrosexual nature. And Administrator does NOT have VPN access, just in case anyone does get it. But that hasn't appeared for months in any case.
But I want to expand into e-commerce, and am planning a couple of sites of my own, so the server will be running?SQL holding credit/bank details and address, so yes, very targetable. I don't want to be the next TK Maxx!
Use baseline analyser regularly to make sure any default shares and accounts are properly locked down.
I'm not worried about file shares, the only people that have access are me, and my remote server via VPN.
If you are allowing that much FTP access you want to have a statefull firewall, not just a router type hardware firewall
Not sure what you mean by that? I have set up Input Filters using RRAS to block pretty much everything, only allowing DNS, HTTP, FTP, POP3, SMTP, and VPN. It has the unfortunate consequence of blocking passive FTP, but no big deal.
With regard to the file structure, I was thinking of removing the 'Authorised Users' from the default, and adding clients specific access to their particular folders. I think that will cover that part of it.
