SBS 2008 - IIS Remote Web Workplace - stop default redirect

Currently in SBS 2008 if a user types http://remote.public.domain the server
redirects this URL to https://remote.public.domain/remote to authenticate for
remote web workplace.

Is there anyway I can remove this automatic redirection so that the user is
required to type https://remote.public.domain/remote to connect to remote web
work place?

In sbs2003 we removed this type of redirect because when people browsed to
the public ip address they could see there was a logon portal. This was then
subjected to continual attack. In sbs 2003 we replaced the default webpage
with a plain html file (and no links) and connected to remote workplace by
directly typing the virtual path in the URL. The attacks dropped from
hundreds per day to none in three years.

I have looked everywhere in IIS7, including the redirect options but can
find nothing. Can someone explain either what Microsoft have done to create
this re-direct or, preferably, how I can turn it off?

You could block http at the firewall and only forward https to the sbs
server.

Surely you don't have these on your LAN.

Yes, I would need to do that at the server, since with have other web-sites
using http. I would also need to be careful about whether the impacted other
network traffic that may use http. Was just wondering about IIS7, it was all
rather straightforward in IIS 5/6.

Various devices on the LAN do use http that are accessible from the internet
(e.g. CCTV). SBS 2008 has severe restrictions when it comes the things like
allocating ip addresses (it will ONLY support a single class c subnet) which
causes significant problems. SBS2008 only really supports a single (or in
some cases 2) servers and comes with everything packaged (e.g. Exchange,
Sharepoint, IIS, DHCP etc) making it hard to isolate one product from
another. IIS comes preconfigured with OWA, Connect, Companyweb, remote web
workplace, sharepoint services etc. It would seem reasonable to assume that
various websites could be turned off without affecting other ones. One of the
problems with everything preconfigured is that as an administrator, it isnt
always clear how they were pre-configured (and what they depend on) and
therefore knowing whether blocking a networking protocol will have an impact
on functionality.

Hence it seems safer to turn off the http to https redirect and go from there.

One of my concerns is that in SBS 2008 all the websites use Standard names.
In IIS6 it was easy enough to just rename them, but in IIS 7 they need to be
recreated with a new virtual path. This means that if someone knows you are
running SBS2008 they already know which virtual paths are likely to be used
which they can then start to attack. Although I can create new virtual paths
etc, if I cannot change the default re-directs then I cannot easily disable
the default sites without errors arising.

I think it's handled by the HTTPtoHTTPSRedir Module, but I'm not 100%
certain.

However, a simple way to prevent it from happening is to remove the
binding that links remote.domain.com:80 to the SBS Web Applications
website. All http requests for remote.domain.com on SBS2008 will then hit
the Default Web Site instead. Just editing the hostname value to something
that isn't valid (eg Xremote.domain.com) should suffice.

Drop your existing simple default.htm file into the wwwroot folder to have
it used on the Default Web Site in place of the pretty "Welcome to IIS7
page".

I'd view that as an unacceptable security risk, myself. Can't you put those
on a separate network segment /DMZ
configured in your perimeter device?

As opposed to multiple ones bound to a single NIC? That'd be a bad config
for a domain controller anyway. Seriously, why does this stuff need to be on
the LAN segment? If you have a decent firewall appliance you can probably
set up a DMZ therein, and allow all LAN-->DMZ traffic if you want access to
it - without allowing the reverse. You can also do one-to-one NATting so you
can use a different public IP (and different rules).

No, you can put as many as you like in, pretty much.

You can't. That's one reason why it's far less expensive than the regular
enterprise products.

Yes, that's true, but you really shouldn't screw around with it.

Understood.

Again, in SBS, you risk much if you screw around with its defaults. I tend
to err on the side of caution.

Thanks Steve, that gets me close enough I think..., the slight complication
is that the /Remote [web workplace application] hangs of the
http://public.domain URL and so if I delete the binding, I also loose the
http://public.domain/Remote relative path. Nonetheless,
https://public.domain/Remote still works so as long as none of the other
paths need it (e.g. /OWA, /Exchange, /connect etc) it will be okay.

I'll do some testing.

I agree and wish I would. However, Microsoft SBS2008 does not allow this. The
platform has Exchange, sharepoint, IIS7 etc all bundled preconfigured on a
domain controller. When you install the operating system they are all there
and active..you do not even need to install the roles. Hence you can sense my
concern over the size of the attack surface and wanting to do what I can to
reduce it. I did consider multiple servers running server 2008 standard on in
a DMZ and using Edge transport to Exchange. However, with only 8 computers
and the need then to buy Exchange, 2xServer 2008, Sharepoint, IIS, Forefront
etc it proves expensive!

Maybe if I get a spare machine I can configure some sort of Internet
security server...its hard when there is only one of me!

You said you were happy with requiring users to type the https, so I
didn't see that losing access to /remote via http would be an issue.

Only the SBS Web Applications site has https binding by default, so all
https functionality is unaffected by the change I've proposed.

The only caveat might be Exchange Push Email - in 2003, there were some
issues with HTTP/HTTPS related to ActiveSync, but I think they've all been
dealt with since then.

But what she's saying is that you can add another server and place that
in your DMZ.

SBS itself needs to be on one box, but Premium in fact gives you another
Windows OS platform.

Yes, precisely. Public websites should not be hosted on a) domain
controllers b) on the LAN at all.

just pointing out that the 2nd server from Premium is not, in almost all
cases, suitable for use as your DMZ server. The 2nd server must be a member
of the SBS AD, which would require the DMZ to allow Windows Networking back
to the AD, defeating much of the purpose of the DMZ.

[zemeron]

Just make a backup of "C:\Program Files\Windows Small Business Server\Bin\WebApp\SBS Web Applications\web.config" and then open that file in notepad (launched with administrative rights) and remove the line:

<add name="HttptoHttpsRedir" type="Microsoft.WindowsServerSolutions.IWorker.IIS.Modules.HttpToHttpsRedir,HttpToHttpsRedir,Version =6.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />

This kills the redirect module to /remote.

I know you tried twice, but was the part you were trying to post didnt show up again. what was it?