What are the possible threats (if any) if I host this service on an intranet? If the service is hosted locally, is there any real security threat from the outside internet?
I’‘m testing the service with the Pandion client but I’'m not finding it easy to tell if either the service or client communicates to the outside world in any way.
My test is on a Windows XP box but the final install would likely reside on Windows 2003 Server using the embedded database.
Any information or “best practices” for internally hosted services would be greatly appreciated.
Thanks,
Tatera
Messenger probably has the same threats that running other services do.
If you will not be communicating with the outside internet in any way, I would suggest you put up a firewall to make sure the outside world cannot affect Messenger (I believe the ports you’'d need to block are TCP/5222, TCP/5223, TCP/5269, TCP/9090 and TCP/9091). That would stop threats coming from outside your organisation.
Next, you’‘ll have to worry about internal threats. I would suggest running Messenger as a non-admin user to make sure that if somebody or something happens to exploit a security hole, the damage is quarantined to XMPP messages and the database you’‘re using. If you’'re only running one instance of messenger, you can firewall TCP/5269 to everything. Furthermore, the Admin Console can probably be firewalled from everybody too (TCP/9090 and TCP/9091). I also would suggest you have a database user dedicated to Messenger. Finally, I would recommend making sure your configuration files and logs are only readable by a select few.
The server will be behind a corporate firewall and because my user base is small, I’‘m opting for the embedded database. It appears there may be some security to beef up with regards to local log files and I’'m good to go.
My fear initially was that this service, even though hosted on the intranet, still used some sort of outside internet based portion of the service to run. All indications are that it is essentially a “closed circuit” IM for my internal users - which is what I want.
Thanks for your input - it’'s appreciated.