I have looked at the Microsoft Proxy server and at the risk of losing my
credibility do not think it is all bad. A couple of thoughts:
1. Does Microsoft Proxy use RPC services?
I tested a Microsoft Proxy server. Setup properly with remote
administration either not enabled on not allowed from the external side,
the server does not respond on any port. You can set it up so that it
allows only outbound services and only allow inbound services from say a
secure Web server into the internal LAN. Not that the MS Client does use
RPC but from the inside (see point 4).
2. What about remote administration?
I know that the new IIS 3.0 supports SSL 3.0 and certificate based
authentication. I personally would not be comfortable with remote
administration from the Internet side if it was not based on strong
authentication such as smart cards or certificate based authentication.
3. Multilayered security
I agree with Jamie Thain (jthain @
edu) that multiple layers are
better. Having at least a filtered router in front of the demilitarized
zone (local ethernet on the Internet side containing the Internet servers)
can provide additional protection such as preventing external internet
servers from spoofing the addresses of the servers in the DMV.
4. Client access
Just a comment for those not familiar with the proxy server, anyone looking
to access the internet through the Proxy server must install the MS Proxy
client in order to perform authentication and to pass-on DNS requests
through the Proxy server.
I am not trying to promote the use of MS Proxy per se. After all there is
the possibility that a new NT bug could bite the installation. The
advantage is that it does integrate well with those using Microsoft
Networking and NT domains. If you add extra layers and use care what
products you use for your Web server, it may not be a horrible choice.
Secure I/T Inc.