Looking for feedback on public website security config

Giganews Newsgroups
Subject: Looking for feedback on public website security config
Posted by:  driley (dril…@discussions.microsoft.com)
Date: Fri, 25 Jan 2008

In my work environment we have a vendor provided solution running on our
internal network. The solution is in its own domain and there are no trust
relationships to our domain.

The vendor has a web application that they want to publish on the internet
for a limited number of users. The web application uses IIS and is installed
on their domain controller, which also hosts their application. Some of our
confidential customer information is stored on this system.

The vendor is trying to tell us that all we need to do to make this system
secure is to install an SSL certificate and open up 80 and 443 on the
firewall. The system sits inside our network and is not in a DMZ or otherwise
isolated from other internal systems.

The domain controller is not hardened in any way and is running IIS and SQL.
Basically they want to make a domain controller into a web server and they
are saying that an SSL certificate will make this a secure solution.

Someone tell me if I am wrong in thinking that this sound like a bad idea.

Replies