IIS webserver on home server, security?

[EdwinX]

Hi,

 

I recently bought a domain, I have a home server that runs on Windows 2016, I made an IIS server and port forwarded ports 80 and 443 to the server on my router. I connected my domain to my IIS homeserver and it all works.

 

I'm wondering what security issues I might run into. I've heard I should be running it on a DMZ, but is there any way to do that without buying a dedicated firewall? Is there a way of doing it by just toughening up my home servers firewall and only letting port 80 and 443, send and recieve?

 

Thanks!

[Sir Asvald]

Couple of things I need to ask:

 

1. Who did you register your domain with?
2. Do you have a static IP?
3. Is the server VM or running on an actual PC?
4. Do you have an SSL certificate already?

 

Reason for asking which registrar you're with, you need to point your IP address to the domain, or you could host a website with them. 

[EdwinX]

2 minutes ago, Abdul201588 said:

Couple of things I need to ask:

 

1. Who did you register your domain with?
2. Do you have a static IP?
3. Is the server VM or running on an actual PC?
4. Do you have an SSL certificate already?

 

Reason for asking which registrar you're with, you need to point your IP address to the domain, or you could host a website with them. 

I'm using namecheap, I do have a static IP, the server is running on an actual PC and I'm setting up the SSL certificate right now. I'd like to use my own server for it to keep the cost down, I'm just wondering how I should make it as secure as possible.

[Sir Asvald]

2 minutes ago, UvularCarp said:

I'm using namecheap, I do have a static IP, the server is running on an actual PC and I'm setting up the SSL certificate right now. I'd like to use my own server for it to keep the cost down, I'm just wondering how I should make it as secure as possible.

Alright. In terms of your SSL, did you buy it or are you using a self-signed? If you want want to access your website from outside, web browsers will not recognise your self-signed SSL certificate.

 

Also, if you want to test your SSL level you could go to this site. https://www.ssllabs.com/ssltest/

[EdwinX]

1 minute ago, Abdul201588 said:

Alright. In terms of your SSL, did you buy it or are you using a self-signed? If you want want to access your website from outside, web browsers will not recognise your self-signed SSL certificate.

 

Also, if you want to test your SSL level you could go to this site. https://www.ssllabs.com/ssltest/

I bought the SSL, PositiveSSL from comodo.

[Sir Asvald]

Just now, UvularCarp said:

I bought the SSL, PositiveSSL from comodo.

That's good. All you need to do is point your domain to your IP address in the DNS setting. Go to your control panel, in your case, namecheap.com. 

 

If you need anymore help, PM me.  

[EdwinX]

1 minute ago, Abdul201588 said:

That's good. All you need to do is point your domain to your IP address in the DNS setting. Go to your control panel, in your case, namecheap.com. 

 

If you need anymore help, PM me.  

Thank you! But I'm wondering more in terms of security, the flaws of IIS and the risks of hosting a server on my own network. 

[Sir Asvald]

6 minutes ago, UvularCarp said:

Thank you! But I'm wondering more in terms of security, the flaws of IIS and the risks of hosting a server on my own network. 

Server 2016 I believe has most of the security flaws fixed. Back with Server 2012/R2 where using old ciphers and old methods of encrypting. Just make sure you don't download anything on the server or within your network. I'm using Windows server 2012, which is running my Exchange server, I ran into problems where my emails would get rejected because of low level of security. Now That's fixed it works fine.  

[EdwinX]

20 minutes ago, Abdul201588 said:

Server 2016 I believe has most of the security flaws fixed. Back with Server 2012/R2 where using old ciphers and old methods of encrypting. Just make sure you don't download anything on the server or within your network. I'm using Windows server 2012, which is running my Exchange server, I ran into problems where my emails would get rejected because of low level of security. Now That's fixed it works fine.  

Ah, well my server is open to the internet through the ports 80 and 443, could an attacker get in to my PC through that or in through my FTP and infect my whole home network?

[Sir Asvald]

11 minutes ago, UvularCarp said:

Ah, well my server is open to the internet through the ports 80 and 443, could an attacker get in to my PC through that or in through my FTP and infect my whole home network?

Your ports will be opened on the server, not your PC. You'll be okay.  

[EdwinX]

1 minute ago, Abdul201588 said:

Your ports will be opened on the server, not your PC. You'll be okay.  

Ah, well, yes on my server. Could they get in to my server in that way and infect the rest of my network?

[Sir Asvald]

4 minutes ago, UvularCarp said:

Ah, well, yes on my server. Could they get in to my server in that way and infect the rest of my network?

Like I said, if you dont' download anything wrong shady sites or visit them, you'll be fine. Just make sure you're using SSL. 

[EdwinX]

Just now, Abdul201588 said:

Like I said, if you download anything wrong shady sites or visit them, you'll be fine. Just make sure you're using SSL. 

Alright, thank you!

[Sir Asvald]

Just now, UvularCarp said:

Alright, thank you!

No problem. What are you planning to do on your website?  

 

 

[EdwinX]

Just now, Abdul201588 said:

No problem. What are you planning to do on your website?  

 

 

I'm gonna make it a personal screenshot hosting, sort of like how prnt.sc and gyazo works, and then probably some small projects that I haven't decided on yet

[jde3]

When I read this I wasn't sure they still made IIS.. I haven't heard anyone talk about it since 2005. Nobody uses it as a server. It's not 9% market share presumably.

 

It's fine for home use but.. wow.

[Sir Asvald]

17 minutes ago, jde3 said:

When I read this I wasn't sure they still made IIS.. I haven't heard anyone talk about it since 2005. Nobody uses it as a server. It's not 9% market share presumably.

 

It's fine for home use but.. wow.

people still use.. Mostly for Exchange..But still used

[BeefyMeats]

There is still a lot of enterprises that use IIS for legacy internal apps, and new apps from vendors that get forced upon you by management.

 

If you would like to setup a DMZ, than why not put all your personal stuff behind something like PFsense?

That way all your personal devices get their own internal NAT that gets routed out to your other network where the server sits; separating them. It also does firewall stuff too.