Yay! I set up my PC as my own Webserver

[Evan]

Yea, I had to port forward my router to my newly setup static IP address of my PC on my LAN.

This was just experimental. I don't think I am going to dump my provider... I have people using e-mail accounts and a live forum. I don't know enough about IIS7 to risk losing all that info trying to run it from my desktop.

That should be a secure setup then. It's VERY difficult to launch an attack over port 80, as IIS has a constant hook on that port, and therefore all requests that come through it. If a request is not a valid web command, that request is tossed.

 

[rboyer]

I don't know about these days but years ago with older versions of IIS it was HIGHLY exploitable.

 

[MAKG]

That should be a secure setup then. It's VERY difficult to launch an attack over port 80, as IIS has a constant hook on that port, and therefore all requests that come through it. If a request is not a valid web command, that request is tossed.

Umm, only if you don't do anything but serve static HTML.

Execute anything "custom" on the server (like JSP, generated pages, old-style CGI, etc.), and you have to design it specifically for the dirty environment or THAT can be used to exploit. It's an enormous hole in the firewall, that can be arbitrarily large if the designer screwed up and let a buffer overflow (for instance). It's surprisingly easy to get access to a command interpreter (including the Java virtual machine) through that type of hole. The issue is not necessarily the visible program -- these days, most of that has been offloaded to the client -- but rather the server code assembling it.

This is not something to be done casually. You MUST be aware of the implications of what you are doing here, and it is far worse than a simple desktop.

As for Microsoft quality, it's VERY clear where the development effort has gone -- it's in "bling," rather than the more important nuts and bolts such as performance and security. It's more important to have windows fade in a pretty fashion than to have a registry that doesn't corrupt. And external review is simply not possible because Microsoft keeps their several-million LOC source code well hidden. And the size is unmaintainable with an infinite number of software engineers.

The example of Google has been given. Those guys run an ARMY of programmers on their webservers, all built upon Apache running on Linux. Not Microsoft. For a reason.

 

[Evan]

Umm, only if you don't do anything but serve static HTML.

Execute anything "custom" on the server (like JSP, generated pages, old-style CGI, etc.), and you have to design it specifically for the dirty environment or THAT can be used to exploit. It's an enormous hole in the firewall, that can be arbitrarily large if the designer screwed up and let a buffer overflow (for instance). It's surprisingly easy to get access to a command interpreter (including the Java virtual machine) through that type of hole. The issue is not necessarily the visible program -- these days, most of that has been offloaded to the client -- but rather the server code assembling it.

This is not something to be done casually. You MUST be aware of the implications of what you are doing here, and it is far worse than a simple desktop.

As for Microsoft quality, it's VERY clear where the development effort has gone -- it's in "bling," rather than the more important nuts and bolts such as performance and security. It's more important to have windows fade in a pretty fashion than to have a registry that doesn't corrupt. And external review is simply not possible because Microsoft keeps their several-million LOC source code well hidden. And the size is unmaintainable with an infinite number of software engineers.

The example of Google has been given. Those guys run an ARMY of programmers on their webservers, all built upon Apache running on Linux. Not Microsoft. For a reason.

IIS performance and security are just as good as Apache's. That's a FACT. And there are many benefits to using IIS. Verizon and Wal-mart are two companies that rely on IIS, not Apache. Also, for a reason.

I assume most people running webpages on a home PC are serving static HTML. And dynamically served sites are not as easy to compromise as you think. New features like garbage collection make buffer overflows rare if not impossible. By the way, Microsoft has made most of their architecture visable in the new .NET framework. Maybe you'd like to take a crack at my web server through port 80, since it's so easy??

Corrupt registry? Maybe in Windows 95. We run thousands of Windows Servers at work and have never had that issue. They run for years on end without any problems.

 

[Ozwynn]

I am going to agree with Micheal on this and stay out of it, but I would never use a microsoft product for a server and expect it to be secure.

 

[Shran]

I run Apache because 1- It's free and open source, 2- it works, and 3 - is secure because there is a development community working to keep it that way.

 

[MAKG]

Corrupt registry? Maybe in Windows 95. We run thousands of Windows Servers at work and have never had that issue. They run for years on end without any problems.

Evan, you're missing the point that the environment discussed here is NOT what you have at work.

Do people use the webservers as desktops? Are they integrated in the same network? If not, the vulnerabilities are not the same. If you don't have users installing new software, you don't expose yourself to the same kinds of problems.

Registry corruption was an issue for Windows 2000 -- after some 15 years of product lifetime -- and I abandoned it in my lab because of that. Assuming there aren't other 15 year old latent bad-design issues in millions of lines of code is foolish. It was an issue because MS in their infinite wisdom so hamstrung "normal" users that everyone had to be an "Administrator" or "Power User" to actually get stuff done (like, say, burn a CD), and this exposed the registry to every program run. And it is just an example. MS is notorious for quality and performance problems. And they deserve that rep.

No, I'm not going to take shots at your webservers. I like looking at prisons from the outside.

The point I've been trying to make is, use a DIFFERENT host from the desktop for this type of experimentation. Do you consider this to be bad advice? It's considered to be security best-practice, and I certainly hope the systems you work on conform.

 

[Evan]

Evan, you're missing the point that the environment discussed here is NOT what you have at work.

Do people use the webservers as desktops? Are they integrated in the same network? If not, the vulnerabilities are not the same. If you don't have users installing new software, you don't expose yourself to the same kinds of problems.

Registry corruption was an issue for Windows 2000 -- after some 15 years of product lifetime -- and I abandoned it in my lab because of that. Assuming there aren't other 15 year old latent bad-design issues in millions of lines of code is foolish. It was an issue because MS in their infinite wisdom so hamstrung "normal" users that everyone had to be an "Administrator" or "Power User" to actually get stuff done (like, say, burn a CD), and this exposed the registry to every program run. And it is just an example. MS is notorious for quality and performance problems. And they deserve that rep.

No, I'm not going to take shots at your webservers. I like looking at prisons from the outside.

The point I've been trying to make is, use a DIFFERENT host from the desktop for this type of experimentation. Do you consider this to be bad advice? It's considered to be security best-practice, and I certainly hope the systems you work on conform.

I'm talking about my personal web server (with dynamic pages) which I have run on my desktop for years without issues. I promise I won't press charges if you want to attempt an attack. Like I said, a modern version of IIS running a .NET 2.0+ framework is VERY hard to compromise.

I mentioned the work environment to show that Windows Server is very reliable.

You say Microsoft is known for poor performance, but I can assure you that IIS performs just as well as Apache, and SQL Server performs just as well as Oracle, MySQL, and DB2. That's not my opinion. It's from detailed, real life performace metrics myself and others have ran and analyzed.

I am going to agree with Micheal on this and stay out of it, but I would never use a microsoft product for a server and expect it to be secure.

Like I said, MANY financial companies use Microsoft server products in an environment that demands strict security.

 

[Psychopete]

Doesn't matter how think you secure you actually are or what web server you think is the best. MAKG is exactly right, you don't use your desktop computer as a web server. It's not practical, it's much better hosted elsewhere. That is proven security (so your desktop can't be hacked) and they typically have a 99% uptime. Plus, you're not relying on your private internet connection for public use. IMO.

Pete

Edit:
FWIW, The majority I deal with at work is Apache/Linux servers.

 

[skinner]

Never use your primary PC as a webserver.
The kind of traffic an average joe website such as yours would use would never exceed the capabilities of even an old Pentium 1 box. You can find these for free. Why not craigslist a 100-200$ computer to handle this?

Secondly, don't use windows. Ok, well I suppose you can, but that brings us back to the first point. It's not your primary PC, and a small P1 or P2 isn't going to run vista. Why not install Linux? BSD maybe? There are builds made ESPECIALLY for this(and for using a PC as a router, or even a firewall, I might add). That, and it pretty much will never crash with what you are using it for. I set up an old Packard Bell P1 100 Mhz with a slackware server...and the bottleneck was still the internet speed.

IMHO though, webhosting has come down so much recently, i'd rather let them do it and worry about it.

 

[Evan]

Why not craigslist a 100-200$ computer to handle this?

Because I can buy a couple cases of beer for $200, and not have the additional power and space consumption of another box.

I have run a database-driven, ASP site on my desktop for years!!!

Sure, you can have someone else host the page, but it gives you less control, and you don't learn as much. And that annual fee could buy a few more cases of beer.

 

[Ozwynn]

Because I can buy a couple cases of beer for $200, and not have the additional power and space consumption of another box.

I have run a database-driven, ASP site on my desktop for years!!!

Sure, you can have someone else host the page, but it gives you less control, and you don't learn as much. And that annual fee could buy a few more cases of beer.

or, don't drink beer.

 

[Evan]

or, don't drink beer.

Don't be rediculous.

 

[Ozwynn]

seriously, what good is drinking beer. you get the beer farts, the beer runs (and i don't mean going to the store) beer breath, bitter beer face, beer piss every 5 min, your wallet is $200 lighter after a night on the town drinking beer, the possibility of DUI, and the inevitable "hold my beer and watch this" 5 min before wrecking what ever gas powered toy you were playing with.........



Beer bad.

 

[Evan]

seriously, what good is drinking beer. you get the beer farts, the beer runs (and i don't mean going to the store) beer breath, bitter beer face, beer piss every 5 min, your wallet is $200 lighter after a night on the town drinking beer, the possibility of DUI, and the inevitable "hold my beer and watch this" 5 min before wrecking what ever gas powered toy you were playing with.........



Beer bad.

With moderation, you don't have to worry about any of those things.