I recently subscribed to a cable broadband connection and want to run a web server on my XP machine. I am already running ZoneAlarm Pro. What do I have to do to allow access to my web server without unreasonably compromising security? From what I read, I have to open port 80 in ZoneAlarm, but how does this affect security?
thanks
Thanks to all who replied to my posting. I should clarify what I meant by "web server". I don't want to run a full-blown web server like IIS. All I want is to install a webcam software with an internal web server so that I can keep an eye on my home from work. In fact the web server will be password-protected. Given this information, do I still have to open port 80 in ZoneAlarm? And, if so, what risks are involved?
thanks
Brian Cryer wrote:
"Anthony" wrote in news:1131018827.223584.183530 @g47g2000cwa.googlegroups.com:
The fact that you're trying to use ZA to protect a Web Server is already the problem. The fact that you have not done your homework on securing the XP O/S, the registry, file system, user-accounts and IIS for a NT based O/S being exposed to the public Internet is a security problem. And the fact that you don't have the machine behind a NAT router to protect it is a problem.
You're nothing but hack bait and you should look into a *secure* WEB hosting service. IT professionals have problems trying to secure a machine running IIS exposing it to the public Internet.
Duane :)
Its truely not worth the hassle to run a webserver off your own home PC. Unless you are REALLY knowledgable in network security, offering HTTP access to your PC is just begging to be hacked.
Your provider most likely offers webspace for no additional charge. I would go that route instead, as you don't expose your OWN PC to the world.
A hardware device (NAT router) is preferable to ZoneAlarm. In theory I don't see anything wrong with using ZoneAlarm, but it/you may have opened ports for other services that you don't want exposed to the internet. When I went broadband at home and put in a NAT router (as well as enabling me to share broadband between pcs) I observed that the number of attacks zone alarm detected dropped to zero and stayed there.
Back to your question, yes, it should be just port 80. However broadband providers vary and I gather that some block port 80 to prevent you from running a webserver. This isn't an issue, it just means you move to a different port. You will also need a way of allowing others to identify your pc on the internet. If your ip address is static then this won't be a problem but if it changes (or isn't guaranteed as static) then you'll save yourself a lot of agro by signing up for a dynamic dns service - take a look at
Something else to remember with broadband is that the upload speed is much much slower than your download speed. This means that it probably won't be suitable for web hosting if you get more than a couple of visitors at a time. So fine for a small hobby site or as a "play thing", but not much else.
Hope this is useful.
Please don't do so. If you know so less about networking and security, it's unjustifiable and fly-by-night to offer web services to the Internet.
Please order a cheap webserver from a provider who does know enough.
Yours, VB.
Please _do_ _not_ _do_ this. You're putting at risk not only yourself, but many other people when your box is abused.
To implement such a functionality, you additionally need knowledge about cryptography.
Yours, VB.
Ok then, where do I get a license to use the Internet?
This is exactly what I am trying to do, but instead of helping me understand the concept you keep saying "don't do it".
At the IANA, where else? ;-) Just kidding, of course.
Look, Anthony, what I'm doing I'd call "begging". I'm doing it, because today so many Windows boxes are being abused as bots, that there really is no need for your PC to join in.
If you want to have a server, you could rent one for a really cheap price today. If you want to drive your own server, please learn how the technics behind this work first.
OK?
Yours, VB.
The short answer is Yes.
The long answer you've already been given. Something I forgot about was the number of security holes in IIS (Apache is better, but I'm sure it has its own set of security holes). I've not played with password protecting IIS - it must help.
IIS has password protection built in. No need to look into cryptography.
(snip)
This is a really really good point. However it has wider scope than just whether or not you run a webserver, because it affects any PC that is connected to the internet.
Presumably, a regular sweep with the various malware products will help? I know that anti-virus typically doesn't pick up on malware. Other ideas?
Check the stats, there are more compromised Apache servers online around the world than IIS servers :)
IIS, if properly managed, like Apache, is secure. We've done public IIS sites for fortune 100 companies and they've never been compromised. It's about the layers of security you setup.
Most ISP's don't allow (residential accounts) to run web servers, but they don't complain when people run SSL only access web servers.
Interesting, I'd always assumed Apache was safer. I stand corrected.
Books that may help:
TCP/IP of Craig Hunt. UNIX Network Programming of Richard Stevens (for a deeper insight) Books of Bruce Schneier about Cryptography.
Web sources:
What interest do I have in making up facts?
IIS 4 and IIS 5 were securable if you understood what you were doing with them. Many companies run IIS sites all the time, public facing, and have no problems with them. As I said, there are a number of Large companies that have no issues with IIS, as there are companies with no issues with Apache, but, both platforms suffer from NOOB installation problems.
You really need to grow up and learn to research before you start making your BS statements again.
Why would I lie?
Just because you don't like me VB, because you've been unable to prove the your POC script proves anything, is no reason to not take a couple minutes to search google and look at the info.
Unfortunately, the problem you seem to address is not solvable at all.
Yours, VB.
Oh-my-FSM.
VB.
You don't.
IIS was terrible in security purposes, and I bet "Lythos" is just lying. IIS in the newest release, version 6, is the very first release of a web server from Microsoft, which seems to be as secure as needed.
Apache has it's own flaws, though.
Yours, VB.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.