Hosting own email and webserver security issues

[CADsortaGUY]

I have been asked to help my parent's church with their church network and server issues since the person who used to take care of it all is no longer at the church. I did a quick sit down with them to get a handle on what is going on and got a list of their issues and the like. In the course of my quick inventory - I noticed they were paying for a static IP so I inquired as to why. They said it was because they had their own server. Come to find out, they are are hosting their own webserver and email server on a win2k3 server box at the church.

Now I'm sure I could handle doing their maintenance and such but I'd rather see them go to an outside host since I don't want to be at their beck and call(even if they were to pay me).

I'd really love to see a good list of security related reasoning as I already have the hardware and other maintenance risks laid out since they seem a bit leery of outside hosting due to problems in the past.

Anyone help with a list of security risks?

 

[Oakenfold]

Aside from server hardware, OS management, data backup, what about the website (i.e. any web app security issues)? Who does the coding? Are they running a database? Why are they so sketchy about 3rd party involvement? What happened to the last IT guy (i.e. just make sure it's un-related)?

I think you need to lay it out for them that you don't want to be the on demand IT guy. That's what I would focus on. Don't let your kindness get you suckered into a 2nd job.

Just some quick thoughts.

 

[CADsortaGUY]

Originally posted by: Oakenfold
Aside from server hardware, OS management, data backup, what about the website (i.e. any web app security issues)? Who does the coding? Are they running a database? Why are they so sketchy about 3rd party involvement? What happened to the last IT guy (i.e. just make sure it's un-related)?

I think you need to lay it out for them that you don't want to be the on demand IT guy. That's what I would focus on. Don't let your kindness get you suckered into a 2nd job.

Just some quick thoughts.

From what I gather it's just a simple IIS website - no special database anything. They use frontpage to update the site weekly so it's nothing but html from all appearances.
The last guy left the church - he was doing the IT related stuff on a volunteer basis I guess. I have a feeling the guy that left talked them into doing it all themselves since he could do it all.

I guess what I'm looking for is something to take them over the top. I have all the software/hardware/maintenence stuff all ready to present but I'd like a bit of fear/risk to convince them to do what everyone else their size(relatively small and only 1 location) does and have someone else host it.

They already know I'm not going to get suckered into anything, but I'm doing this prelim stuff mainly because all the people in charge are pretty challenged in the technology area and I'd hate for them to hire some guy/company to come in and do everything for them and end up spending way too much and/or getting sold crap they don't need.

 

[Oakenfold]

Originally posted by: CADsortaGUY
I have a feeling the guy that left talked them into doing it all themselves since he could do it all.

There's your selling point for getting the hosting with someone (i.e. especially with the hosting being so cheap now, it may be cheaper than the electricity to run the Windows Server box per year), explain to them at some point that box will need to be replaced and you will need to start the cycle over, you may not be around when that happens.

If you really want to talk about something to convince them why they don't want to manage their own box just talk to them about the dangers of having a webserver on their network to begin (i.e. leapfrogging to other computers on the network, DNS redirecting) with or maybe website defacement. We both know that this is just as possible (i.e. hopefully less with a good host) on a third party host so explain those risks as well.