IIS .Net Solutions and Developers

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
Hello,

The company is on the .Net solutions push company wide which will be
implemented sometime in the near future. Of course, one of the big
concerns is IIS running on a developer's workstation. The one thing I
have heard is using the IIS Lockdown Tool to secure the developer's
workstation, which I have used in doing some .Net Training here at home.
The Lockdown Tool stopped any development work I was doing with ASP.NET
and IIS and I had to unlock IIS to continue development work.

The person who is basically a Training person is involved with the
decision making process with Systems and Tech Support, which I started
talking with about using IIS and .Net from a developer's standpoint.

It's just like with InterDev that was installed on my machine. I cannot
fully use InterDev to debug and ASP application from my workstation,
because IIS is not on the workstation and one must go through some Mickey
Mouse routine by debugging an ASP application on the DEV Web server using
response.write and other means, instead of being able to use the
debugging tools in InterDev.  

Like the Training person indicated they are concerned about FTP services
and shutting it down or a contractor coming in and hacking IIS on a
developer's machine. There is also laptop workstations that leave the
building using VPN work situation etc., etc, which PFW for dial-up users
or NAT router is used supplied by the company.

I would like to get a little feed back from the NG concerning the
security issues and possible solutions and/or workarounds. As I would
like to avoid the situation the developers face with using InterDev when
..Net is deployed to the developer's workstation and it cannot be used to
its fullest capabilities as a development tool.

Thanks

Duane :)


Re: IIS .Net Solutions and Developers
notme@notme.com says...
Quoted text here. Click to load it

Everyone of our development centers, every team member, has either
Windows 2000 Prof, Windows XP Prof, or Windows 2000 Server installed on
their workstation. They run/develop a local copy of the part they are
working on, check it into source-safe, the Solutions Architect moves it
to the test server and test it against the spec's. Once it's tested on
the test server it's moved to the QA server for testing by the QA team,
from there, if it passes, it's moved to the customers QA server (another
one of our servers) for testing by the customer. If it passes that test
it's provided to the customer - all this is happening 24/7 in real time.

Not having IIS on your development station is a hindrance and increases
development time.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)


Re: IIS .Net Solutions and Developers

Quoted text here. Click to load it

I agree too. I have written an email about this issue to my boss and to
the Training person. Maybe, someone will listen before the
implementation. I kind of doubt it.

Duane :)



Re: IIS .Net Solutions and Developers

Quoted text here. Click to load it

Is that the risk or is the risk of others getting at the workstation via
IIS?
Can't you setup IIS to use loopback as it's IP address for the default site?
Would that make IIS invisible on your network?





Re: IIS .Net Solutions and Developers

Quoted text here. Click to load it

The concern is having IIS open on the LAN for developer machines so that
they can be compormised by a contractor that has gone wild????????

Duane :)


Re: IIS .Net Solutions and Developers

Quoted text here. Click to load it

OK, so then if the IIS service on the developer PC is using Loopback,
then shouldn't it be invisible on the LAN?




Re: IIS .Net Solutions and Developers
says...
Quoted text here. Click to load it

If you set it so that IIS can only be accessed from 127.0.0.1 or from
the host name of the computer, then it can't be accessed from the rest
of the lan - simple restriction.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)


Re: IIS .Net Solutions and Developers

Quoted text here. Click to load it

Well, the guy responded to my email about the whole situation. His
response was he has tired ASP.Net with IIS locked down on his machine and
he didn't have any problems. As far as I am concerned, he and Systems are
in left field on this one and we will see what happens. I'll keep the
Loopback IP solution is mind. They have already made up their minds until
they are forced to change.

Duane :)


Site Timeline