[There's a reason that Yoda is the unofficial mascot of SBS. Size indeed matters not.] This is either good or bad ... depending on how you look at it - THE OFFICIAL BLOG OF THE SBS "DIVA"
Sat, Jan 22 2005 23:54 bradley

This is either good or bad ... depending on how you look at it 

It's good that we're getting important enough for a known 
"google hacker" site to post about our uniqueness... 
 
It's bad that we're getting important enough for a known 
"google hacker" site to post about our uniqueness... 
 
Just a heads up ...they know our "google parts" How do you stop this?
 
First off... don't click the button in the connect to internet wizard to 
“expose the entire web site” Next... if you are stupid enough to do 
THAT one, I'm copying a post from Alan Billharz 
 
Some customers may wish to exclude their SBS 2003 installation
from the scope of Web search sites such as Google.com.  This
may be because you would prefer to restrict knowledge of your
installation only to those who can use it, or, you may want to 
keep some portions of your site (e.g. Business Website) 
searchable while keeping other portions under the radar 
of Web search sites. There is a way to do this using 
the Robots Exclusion Protocol.  
By placing simple text file at the root of your Web site,
you can tell Web search robots which parts of the 
Web site are open for search.I've attached 
two versions of robots.txt that I've whipped up 
for my SBS2003 server:  
 
1.. robots.txt - Allows search of your business Web site 
but hides SBS-specific  sites from search robots.  
2.. robots2.txt - (Must be renamed to robots.txt) 
Denies search of your entire Web site .
For more information, 
check out these sources: http://www.robotstxt.org/wc/robots.html
http://www.searchtools.com/robots/robots-txt.html
http://www.searchengineworld.com/robots/robots_tutorial.htm
Many Web sites implement this functionality.  
For example, you can check out 
http://www.cnn.com/robots.txt .
Please respond to this post if you have any questions 
or comments - let us know how this works out for you!
Thanks,Alan Billharz
--------------------------------------------------------------------------------
# Place this file at the root of the Default Web Site (%system drive%\inetpub\wwwroot) 
# to allow search engines to catalog your Business Web site, but not catalog the other 
# SBS-specific Web sites. 
# 
# Note that you must choose to publish the root of your Web site to allow the search 
# engine robot to read this file.  In the Configure E-mail and Internet Connection Wizard, 
# choose to publish Business Web site (wwwroot). 
 
 
User-agent: *
Disallow:   /_vti_bin/
Disallow:   /clienthelp/
Disallow:   /exchweb/
Disallow:   /remote/
Disallow:   /tsweb/
Disallow:   /aspnet_client/
Disallow:   /images/
Disallow:   /_private/
Disallow:   /_vti_cnf/
Disallow:   /_vti_log/
Disallow:   /_vti_pvt/
Disallow:   /_vti_script/
Disallow:   /_vti_txt/
--------------------------------------------------------------------------------
 
# Place this file at the root of the Default Web Site (%system drive%\inetpub\wwwroot) 
# to prevent all search engines from cataloging your Web site. 
# 
# Note that you must choose to publish the root of your Web site to allow the search 
# engine robot to read this file.  In the Configure E-mail and Internet Connection Wizard, 
# choose to publish Business Web site (wwwroot). 
 
User-agent: *
Disallow: /
 
P.S.  This will be included in the SBS 2003 advanced 
book by Harry Brelsford
Filed under:

# re: This is either good or bad ... depending on how you look at it

Sunday, January 23, 2005 8:17 AM by bradley

Susan,
It's nice to find you are so trusting... of course, this "robot exclusion" is only good for robots that observe the rules. Also, websites can be scanned by robots or people to discover content which is technically different but has the same end result.

1. If you have something really private exposed to the Internet, don't trust anybody, don't trust any generally observed but unenforced standard.

2. If you have anything really private you wish to keep private, secure by requiring authentication. Microsoft technologies supports one easy to configure, strong method... NTFS permissions. Like on the LAN, it's cool to secure resources granularly at the file level. Note that this requires Windows Authentication, you can't disable Windows Authentication and still enjoy the benefits of NTFS. Files stored in a database can also be secure, for example Windows SharePoint Services (ie. Companyweb) stores files securely in a database instead of individual files so although NTFS is not part of the security solution, it still employs good Windows Authentication to access files.

3. Not all website resources can be secured with Windows Authentication, alternative Authorities might be set such as RADIUS or most often a simple list of authorized Users stored in a table. You will not benefit from Security Policies already in place, so in these cases you will be pretty much on your own designing proper security which is more often done poorly than not.

4. Don't secure only the gateway to resources. This used to be very common in the early days of the Web, but poorly designed private areas may only secure the login page assuming that is sufficient overlooking the fact that anyone who knows the URL of a private resource can bypass the gateway and be browsing your private resources without being challenged. This is similar to the ever-trusting SysAdmins who rely only on a firewall but ignore what might happen if someone is able to bypass the firewall and have full run of the internal network without being challenged.

Bottom line is that if you have something really important, either rely on a known good solution such as a Web Portal solution (like Companyweb) or put in the work to secure your web resources properly.

Tony




# re: This is either good or bad ... depending on how you look at it

Sunday, January 23, 2005 11:01 PM by bradley

Regarding the specific supposed vulnerability or whether we should even care whether logon pages are collected in the Google (or other search engine database)

- In general, there's probably no useful or worthwhile purpose for a logon page to be indexed and stored publicly, so in keeping with "divulge only as much information as necessary" instructing spiders not to index the logon page can be recommended.

- Conceivably if a vulnerability should be found in SBServer, such an index might be useful for a hacker to locate victims quickly.

- It's my opinion that if known "best practices" logon policies are applied to authentication and simple passwords are made impossible, there is no significant additional risk compared to if logon pages were not indexed. The point is that logon pages are easily discovered using other methods than doing a Google search.

An example of probable faulty vulnerability evaluation is the "Google Hacker's" index of OWA logons. Because by default GPO Password Policy is applied to logons, ordinarily this is not a vulnerability. Normally three failed logins will force the hacker to wait 30 minutes before trying again. Bad Password Policy will hurt you in many ways, not just OWA or RWW (the supposed Google database index that found your server). And, there is no hiding what your server is, it's too easy to fingerprint your machine.

Tony

# An open port is a hole is a weakness is a entry is a ....got it?

Friday, February 04, 2005 6:12 PM by TrackBack

# An open port is a hole is a weakness is a entry is a ....got it?

Friday, February 04, 2005 6:15 PM by TrackBack

# So what's the security of Remote Web Workplace?

Friday, March 04, 2005 9:36 PM by TrackBack

# So what's the security of Remote Web Workplace?

Friday, March 04, 2005 9:37 PM by TrackBack