For any environment exposed to the web you must run in production mode. In
WS2.x there's
a checkbox on the last tab for mode with values of 'production' and
'development', select
production.
Your development environment should be entirely within your intranet with no
outside
exposure. i.e. on a different server. If that's no possible you could setup
a
second webspeed broker in development mode, with the same root as your
production
environment. Then create a second virtual website in IIS on a different
port, and
use the security settings to restrict access to the class c address of you
internal
network.
Don't use the 'WService=brokername' nomenclature, instead use the IIS
wrapping funcion.
The optimal setup is basically
external firewall - production web server - internal firewall - intranet
production web speed production
db server
development web server
development web speed
When you say you were 'hit' by two hackers, what exactly does that mean?
Hacking webspeed
would require progress knowledge, and most people don't even know what
progress is.
IIS is inherently insecure for starters.
o Remove all the sample programs and directories from the inetpub
directory.
o Apply the latest nt service packs.
o Go to
www.sans.org and buy yourself the latest copy of WindowsNT security
step-by-step and
apply the user/domain/registry restrictions they reccommend.
o Subscribe to the MS security maillist (go to
www.microsoft.com/security),
I received
something like 56 seperate security alerts in '99, mostly pertaining to
NT and IIS.
Hope that helps.
Regards,
Sean Overby
Sr. Programmer Analyst
Protech Systems Inc.
soverby@protech.com
http://www.protech.com
Stulti timent Fortunam, sapientes ferunt