Do you recommend running apache on windows 3

[JCrou82]

I have a prospect client who will be using a windows machine, even though I had pleaded with them to go to Linux instead, as a web server. Right now they are hosting on Earthlink and want to bring the hosting inside. I suggested against it, but that's what they want to do. In any event I know that I can set up IIS as a webserver and it's pretty simple to do. I would rather set up apache to run as the webserver. I know that Apache can run on windows, but is it worth doing? Also will IIS attempt to interfere with Apache and want to become the primary web server app as opposed to allowing Apache to run? I've set up Apache on a home windows machine and a laptop, but never anything on a server that is going to be live on the web. What requirements should this server meet for it to be a viable web server. They have a T1 connection so I'm not too concerned about that. Any other suggestions or comments regarding moving a site from the outside to in-house hosting, please let me know.

Thanks guys.....Tek-tips is def the place to go.

 

[Newposter]

Been doing it for a year with another broadband ISP. I run a Windows OS on a 400 MHz machine with 384 MB RAM with no problem.

Windows has its many holes, so get SP3 and all the latest updates and security recommendations. A good firewall and virus package helps a great deal.

Apache is much better than IIS and more secure. It works fine and can handle the traffic. Install Apache and uninstall IIS. If you don't have IIS on the machine, it reduces the security risks and foils hackers who attempt to exploit your server that way.

I paid a hosting company for 2 of my 5 domains, but they were unresponsive when I tried to find out why they lost service every summer for a few days (unreturned phone calls). They also billed me for a year's hosting renewal one month after I pulled the domain from them. Now I host these sites on my PC for $300 less per year. (The sites were on Linux, which was better in many ways, but they work fine with Windows). Newposter
"Good judgment comes from experience. Experience comes from bad judgment."

 

[JCrou82]

Thank you. Quick question, what version of windows were you using and what Virus protection package you installed. Also is there any other issues to be prepared for such as opening any special ports. How did you get your domains pointing to your server, is that an ISP issue or did you have to set up your own dns server as well? Also I read about MX records, what are they and do I need to worry about this if i have to set up my own dns server or would the isp have to handle that if they do the dns?

Thanks again

 

[Newposter]

I'd rather not say what brand of protection software (I average 5-10 hack attempts a day), so as not to make it easier for someone to get in. However, I've never found evidence of successful hacking. I run Win2K Pro with updates. Settings on firewall are generally default to block all Trojan horses, block unused port scans.

The company that registers my domain allows me to manage my account, so I enter my IP address and mail server name (MX record) there. That company's DNS resolves the name to the IP address, so I don't run the DNS software. Newposter
"Good judgment comes from experience. Experience comes from bad judgment."

 

[SgtB]

Some advice. Put a firewall in front of that server. Only allow http access through to the webserver on port 80. Patch the windows box. That way you don't have to worry about viruses on the webserver (unless the come from inside the network. If thats a threat, then I suggest putting the webserver in a DMZ). The only thing you would have to worry about are direct attacks against your webserver (like code red, and slapper). You can also setting up an IDS (intrusion detection sensor) in between your firewall and webserver to notify you of any attacks that happen.

Firewall? Check out

http://www.cyberguard.com

. They have several hardware firewalls of all shapes and sizes. I'm sure one might fit your needs.

Just some friendly advice...

Also, MX records are only used is you're hosting a mail server on that domain.

Let me know if you have any more questions!

 

[SgtB]

One more thing too. Kill all unnecessary services on the windows webserver. Get rid of everything you don't need. If it doesn't exist, then there's no vulnerability right? Like Newposter said though, if you're going to run apache on windows....get rid of IIS. It has too many holes.

Remember, just because you have a firewall, that doesn't mean your safe. Attacks can still run right through port 80 and hit the webserver, so you need to harden the OS and webserver apps on the webserver machine.

Hope this helps a little!

PS - I'm running Checkpoint's FW-1 on for my firewall, with an apache webserver (on linux) behind it. My firewall blocks 10-20 attacks every day. Then there's the Slappers and Code Reds. Think security!

 

[JCrou82]

Thank you both for your post. very useful information. Currently they have email from earthlink that is then "somehow" routed to their in-house microsoft exchange server where they then grab their emails from their client stations. I might then need to set up mx records, how would i go about doing that? Is there a site somewhere that I can be pointed to? Also if i have to have dns myself (what is the definition of DNS?) is it just some softwhere that I run on a server or is there more to it?

- sgtB, what do you mean by "patching" the box? I'm pretty sure I won't have to worry about threats from inside since they have an Network Admin to take care of that, but what is DMZ and what does it do?

- sgtB, what is a code red or a slapper? Who do I block against it? Is ISD a hardware or software component?

I'll continue my research, but the more answers I get the better equiped I will be.

Thank you all in advance

 

[danielhozac]

DNS = Domain Name System.

Setting up MX records is different for each DNS hoster. If you host it yourself, you just add a line to a file, or if the DNS server is Windows or Novell or something graphical, you just click around somewhere in some programs. And yes, DNS is just another server program like Apache. The most common DNS server is BIND,

http://www.isc.org/products/BIND/

for more information.

Patching the box means that you should keep the programs updated, so you update whenever there is a new threat discovered (or when there is a new version for some other reason).
Code Red and slapper are just two of the bazillion worms/viruses out there. If you just keep your system up to date and have some antivirus program, these shouldn't affect you. They may still try and attack you though.
//Daniel

 

[SgtB]

IDS's are devices used to monitor network traffic and alert you to possible attacks. My favorite is a program called snort. Snort runs on *nix platforms (it may run on windows...not sure).

http://www.snort.com

It will tell you if a server is being attacked, and from that point you'll need to take appropriate action.

DNS can be tricky sometimes. If you really want to learn about it, you'd be better off reading a book on it. "DNS and BIND" from O'Reilly or "DNS on Windows 2000" from O'Reilly would be great to start you off (

http://www.amazon.com/exec/obidos/search-handle-form/002-5049944-4749640).

Its a pretty quick read, and should answer most of the basics for you.

When a product is born, the bad people out there try to find different vulnerabilites out there to exploit the product. Once exploits are found, they'll distribute them to the "hacker" community. The software vendor then needs to come up with a patch to distribute to their customers so they will no longer be vulnerable to these exploits. Thus the term "patching". Its always important to keep up to date as new vulnerabilites are coming out constantly.

http://www.securityfocus.com

is a great site to read up on the latest vulnerabilities.

A DMZ (demilitarized zone/screened subnet) is a network that is seperate from your LAN that is guarded by the firewall. In its simplest form, the Firewall would have 3 interfaces. One points to the LAN, one to the internet, and one to the DMZ. The firewall can then control/filter traffic to the DMZ and LAN in a more effective manner. This way if external users need to access you webserver, then they never step foot on to your LAN...instead the go to your DMZ. DMZ's can be protected via IDS systems more effectively, as they do not have to filter all the standard LAN traffic. Also, if one of your webservers are compromised (hacked) the threat to your LAN is minimized, as the webserver is not even part of that LAN, and still needs to traverse the firewall to gain acecss to the LAN.

Reading up on standard security would probably help you out quite a bit. Check out "Inside Network Perimeter Security" its an excellent book that covers everything, and gives great examples. Its a pretty big book but well worth it.

http://www.amazon.com/exec/obidos/A...5478478/sr=2-1/ref=sr_2_1/002-5049944-4749640

 

[JCrou82]

ALL I HAVE TO SAY IS THAT TEK-TIPS IS A BEAUTIFUL THING!!!!!!

Thank you all for your posts. I feel rich with knowledge and confident that I now have a stable stepping stone to continue my research. I have a lot of catching up to do on my reading as supplied by the tek-tip members. I should be meeting with the prospect client in another week so I have alot of learning to do by then.

Once again, I thank you all for your posts and I will keep you updated as to what happens. You've all been very helpful!!!