T 3.56 Incorrect integration of IIS into the system environment

IIS is used in a wide variety of environments all over the world. The operating environment in this case is understood to be the network topology (configurations of the additional hardware, software, and network components) in which IIS is operated. One important aspect that must be considered in this context is the need for IIS to communicate with other systems.

Protecting a public server accessible from the Internet is generally much more complicated than protecting a server installed in the Intranet. The secure use of suitable network separation devices is of critical importance in this regard.

An inadequately planned network structure, e.g. one without a demilitarised zone (DMZ) or with an incorrectly configured network separation device (firewall), can be exploited for an attack from the Internet or the Intranet.

Not providing enough system resources (e.g. firewall, number of network connections) also poses a risk. If these systems do not meet the requirements for availability and performance of the actual web server, then there is a risk of a single point of failure (SPOF).

Example:

An e-business application is implemented using an IIS and a database server. If the database server is located in the same segment as the IIS, which can be accessed from the Internet, then there is a danger that unauthorised persons could also be able to access the database and read or manipulate the data in the database.