Not only his opinion. Also mine and many, many others. There is no _good_
reason to open port 80 unless you choose to host your own web site to the
world on your SBS box. Which is NOT a good practice. And in the specific
case we're talking about here, OWA access, there is definitely no reason.

--
Charlie.
http://msmvps.com/xperts64


"MSR Consulting SBS Support" <support@msrportal.com> wrote in message
news:admin.2j1oea@at.msrportal.com...
>
> As much as I am straining to keep from entering a debate here...
>
> Can we simply agree that that is your opinion and therefore should not
> be stated as fact?
>
>
> --
> admin
>
> Matt Ridings - MSR Consulting
> ------------------------------------------------------------------------
> admin's Profile: http://forums.msrportal.com/member.php?userid=1
> View this thread: http://forums.msrportal.com/showthread.php?t=14484
>

In article <admin.2j1h6a@at.msrportal.com>, support@msrportal.com
says...
>
> Surely we're not going to have that discussion again
>
> There are facts, there are opinions, and then there are situations.
> All are valid depending upon the circumstances, but none are
> 'absolutes'. :)

And there is a fact that port 80 is not needed to use any of the
functions provided by the server. If it's needed on port 80, the service
can be configured for port 443.

--
--

spam999free@rrohio.com
remove 999 in order to email me

In article <admin.2j1oea@at.msrportal.com>, support@msrportal.com
says...
>
> As much as I am straining to keep from entering a debate here...
>
> Can we simply agree that that is your opinion and therefore should not
> be stated as fact?

The community, at least 99% of us, agree that exposing port 80 on a SBS
server is very bad and normally leads to compromised boxes. With that in
mind, since we have port 443 for websites, and since it's a given
standard to NOT host public websites on SBS, it's not Opinion.

Good to see that you've fixed your sig.

--

spam999free@rrohio.com
remove 999 in order to email me

What's amazing to me, is that the statement "Can we simply agree that that is your opinion and therefore should not be stated as fact?" seems to be so difficult for some of you?.

Do you really believe that you've somehow cornered the market on the multitude of usages of SBS that you can factually make statements on this issue with the words 'never', etc.? I thought I made it clear I had no desire for a debate? I also think it's pretty clear that if the manufacturer of the product that you service decides that if you want to use port 80 that it's ok with them, but you disagree, that it must be a matter of opinion....(otherwise no disagreement right?).

You seem to believe that *I* think it's a good practice to leave open 80 if you don't need it. I don't.

That doesn't change the fact that it's our *opinion*. The reason *we* as a community (as far as I know) don't think it's a good idea is the simple fact that it's easier to attract attention with port 80 open. Although, I guess someone could argue that since many port scans these days *start* on 443 to try and find commerce sites, that that point is debatable. That said, I also don't believe that there is anything inherently insecure about leaving the default SBS config on port 80, nor do I believe that putting a redirect on an ISP site helps one bit (it still attracts the same attention, and any scan utilizing dns records, will simply follow the ports to the IP they reside at. Not sure what it gains you in the long run.)

Now perhaps you guys are more arrogant than I am in regards to your opinions, but unless you're prepared to say that IIS is simply insecure in its own right, and therefore RWW, and anything else you choose to run through it should be shutdown, I can't truthfully tell a client anything other than "*I believe* it could attract unnecessary attention to your box, and therefore increase your likelihood of attacks". I can't say that it increases the hackers likelihood of *success*, nor can I say that if they are willing to still do so after being advised that they are idiots. If they're informed, I'll happily open it up.

If you can show me however where the SBS config for redirect on port 80 can be more easily hacked into than 443 then by all means do so and I'll advise my clients (and Microsoft, since it's in all their documentation) to that effect. Until then, yes, I say it is our OPINION and should not be stated as some sort of fact nor should we treat others who choose do so as somehow unintelligent about the so-called 'facts' unless you're willing to back that up. In the end, ports are ports. I don't like 80 simply because it's so common, that has nothing to do with making it insecure however, I'd just prefer not to announce my presence so loudly that others might take notice. It's *after* they take notice that you have to worry about ports...and 80 typically isn't the one to worry about. I'd start with POP, IMAP, etc. personally but you do what you want.

If you want to advise others here about the potential risks of doing so on the other hand, awesome, that's a welcome service to all. Why it is that it appears to offend some of you that someone might not agree with your opinion is beyond me.

p.s. - it appears no matter how hard I tried to avoid a debate here, it's impossible amongst us geeks. think about what I asked in my post, and then look at the responses. And here I thought 'proportional response' was something only discussed in the circles of warfare

__________________
Matt Ridings - MSR Consulting

In article <admin.2j2v6a@at.msrportal.com>, support@msrportal.com
says...
>
> What's amazing to me, is that the statement "Can we simply agree that
> that is your opinion and therefore should not be stated as fact?" seems
> to be so difficult for some of you?.

It's almost impossible to know who, if an individual, you are responding
to as your reply contains no quoted text again.

> Do you really believe that you've somehow cornered the market on the
> multitude of usages of SBS that you can factually make statements on
> this issue with the words 'never', etc.? I thought I made it clear I
> had no desire for a debate? I also think it's pretty clear that if the
> manufacturer of the product that you service decides that if you want to
> use port 80 that it's ok with them, but you disagree, that it must be a
> matter of opinion....(otherwise no disagreement right?).

Forgive me, but, this has to be said: If you had enough experience in
the Windows OS field, with customers, then you would know to never
provide a public web solution on a non-dedicated Windows OS box. It's a
simple matter of FACT, that the quickest way to compromise a box is to
run a public web server and give control/maintenance of that box to a
noob or non-technical type (you know, the target of most SBS installs).

> You seem to believe that *I* think it's a good practice to leave open
> 80 if you don't need it. I don't.

And you seem to miss the "I'm going to show you this way only for this
class, but never do it in a production environment" way to talking to
people. If you tell people they "Can" do something, but that it's best
not to do it, they WILL do it.

> That doesn't change the fact that it's our *opinion*. The reason *we*
> as a community (as far as I know) don't think it's a good idea is the
> simple fact that it's easier to attract attention with port 80 open.
> Although, I guess someone could argue that since many port scans these
> days *start* on 443 to try and find commerce sites, that that point is
> debatable. That said, I also don't believe that there is anything
> inherently insecure about leaving the default SBS config on port 80,
> nor do I believe that putting a redirect on an ISP site helps one bit
> (it still attracts the same attention, and any scan utilizing dns
> records, will simply follow the ports to the IP they reside at. Not
> sure what it gains you in the long run.)

If you don't believe that port 80 exposed to the public, on SBS (or any
other platform provided by MS) is a serious risk, then you don't have
enough experience with the platform or security.

> Now perhaps you guys are more arrogant than I am in regards to your
> opinions, but unless you're prepared to say that IIS is simply insecure
> in its own right, and therefore RWW, and anything else you choose to run
> through it should be shutdown, I can't truthfully tell a client anything
> other than "*I believe* it could attract unnecessary attention to your

Arrogant! WTF, you sound like a little kid that believes he has to be
right because you can't possibly be wrong, that people who have been
doing this for decades can't possibly be right if it contradicts your
"opinion".

In all the years I've been designing secure networks I've never had one
compromised, not one, and I've seen zillions (that's a lot) of attempts
on HTTP, few on HTTPS, and know for a fact that it's very easy to
compromise an impropterly secured (and I'm not talking about just the
OS/IIS) server.

Maybe you should install IIS on a Windows Server, then setup logging to
a SQL database for all the connections (do the same for the SSL
connections) and then review the connection attempts and what they pass
in the connection header. You might learn a lot more.

> box, and therefore increase your likelihood of attacks". I can't say
> that it increases the hackers likelihood of *success*, nor can I say
> that if they are willing to still do so after being advised that they
> are idiots. If they're informed, I'll happily open it up.
>
> If you can show me however where the SBS config for redirect on port 80
> can be more easily hacked into than 443 then by all means do so and I'll
> advise my clients (and Microsoft, since it's in all their documentation)
> to that effect.

Again - WTF! Why not read CERT or other security bodies and see how they
feel, you're showing your contempt for the group and your lack of
understanding and experience, and YOUR Arrogance is really starting to
hack me off.

[snip]

> p.s. - it appears no matter how hard I tried to avoid a debate here,
> it's impossible amongst us geeks.

You can't have a constructive discussion unless you are willing to be
wrong.



--

spam999free@rrohio.com
remove 999 in order to email me

Here are some quotes for you...

>Forgive me, but, this has to be said: If you had enough experience in
>the Windows OS field, with customers, then you would know to never
>provide a public web solution on a non-dedicated Windows OS box. It's a
>simple matter of FACT, that the quickest way to compromise a box is to
>run a public web server and give control/maintenance of that box to a
>noob or non-technical type (you know, the target of most SBS installs).

Yep, that sounds like me. No Windows experience. By the way, let me know when you've shut down all of your clients RWW and OWA. As those of course are "public web solutions on non-dedicated Windows OS box". I don't know the point you're making here, but you make it very strongly so at least that's something

>And you seem to miss the "I'm going to show you this way only for this
>class, but never do it in a production environment" way to talking to
>people. If you tell people they "Can" do something, but that it's best
>not to do it, they WILL do it.

I don't treat my clients like children, or idiots. Oh well, to each their own I guess.

>If you don't believe that port 80 exposed to the public, on SBS (or any
>other platform provided by MS) is a serious risk, then you don't have
>enough experience with the platform or security.

That could certainly be true. Could you enlighten me on what those serious risks are? I've got this nagging problem with desiring facts. I stated the ones that I perceive (well, the *one* that I perceive anyway), what are yours? You do realize you're preaching to the choir right? Does it just bug you that even though I personally don't like it, I allow room for the fact that others could have valid reasons for using it? Not really sure I get your gripe.

>Arrogant! WTF, you sound like a little kid that believes he has to be
>right because you can't possibly be wrong, that people who have been
>doing this for decades can't possibly be right if it contradicts your
>"opinion".

Don't know what's funnier, the irony in that statement given what this post is about or the fact that if my 'opinion' on the matter is effectively the same as yours what does it mean? If you had read the post you would know that my only issue was with someone stating that there was 'never' a situation in which to use port 80. And while I personally don't like port 80 being open, I know others who are just as smart as we are and don't think it's such a huge risk at all, therefore requested that if we're going to give out advice as experts that we delineate between opinion and fact. Are you just angry by nature?

>In all the years I've been designing secure networks I've never had one
>compromised, not one, and I've seen zillions (that's a lot) of attempts
>on HTTP, few on HTTPS, and know for a fact that it's very easy to
>compromise an impropterly secured (and I'm not talking about just the
>OS/IIS) server.

I have to assume that's true of most of here wouldn't you say? Are you then saying that SBS has a security flaw that can be taken advantage of on its port 80 redirect? Have you alerted MS, CERT, and the press? MS needs to know so that it can modify its default configuration don't you think?

>Maybe you should install IIS on a Windows Server, then setup logging to
>a SQL database for all the connections (do the same for the SSL
>connections) and then review the connection attempts and what they pass
>in the connection header. You might learn a lot more.

Actually, I also own and used to run a hosting company and we run quite a bit more than just logging, but not sure how watching all of those little bits fly by representing an attempt to connect equals a security risk on a port 80 redirect? Again, would appreciate more info on this massive risk so that I can educate myself and clients better.

>Again - WTF! Why not read CERT or other security bodies and see how they
>feel, you're showing your contempt for the group and your lack of
>understanding and experience, and YOUR Arrogance is really starting to
>hack me off.

See how they feel about what? SBS's default configuration for port 80? Don't recall ever seeing a statement issued by CERT on that one even though they're on my pager alerts, guess I missed it.

Look, you and I think port 80 by default is a bad idea. We apparently disagree on how vehemently we should scream that from the mountaintops, but so what? If you, or anyone else, can provide me with *real* ammunition then give it to me for christs sake! All I have at the moment that I know for sure is that having the port 80 redirect open *could potentially* increase the amount of attention your server gets from 'nefarious no-gooders' out there in internet land. If there is something else (and for the last time, we're *not* talking about hosting websites!!!! but the SBS configuration that is built in by default) please provide it so that I know about it instead of just personal attacks.

__________________
Matt Ridings - MSR Consulting