How secure IIS run together with XAMPP?

Question

I'm using IIS for web server & run phpMyAdmin via IIS.

But now, I saw someone use IIS and XAMPP. There is something I wanted to know.

Usually they set : XAMPP to localhost:81 or localhost:whatever

Something that I wanted to know is the phpMyAdmin run inside IIS is more secured than run phpMyAdmin via IIS ?

So, which one is better ?

1. Using IIS to run webserver (PHP) and phpMyAdmin
2. Using XAMPP inside IIS, then run webserver (PHP) using IIS and phpMyAdmin using XAMPP

There is something I know, I cannot directly access to phpMyAdmin if run on localhost:81, if I need to access phpMyAdmin I should open my server. But I ever got hacked when I'm using XAMPP to run PHP and phpMyAdmin.

Was looking to so many site for the answer, but still don't get the answer.

Useful post: https://serverfault.com/questions/316516/does-changing-default-port-number-actually-increase-security — jrtapsell, May 17 '18 at 11:56
hello, thank you @jrtapsell for giving me that post. But, I still dont get the answer for how secure if XAMPP run inside IIS. — Zinc, May 17 '18 at 11:59
I was edited the question @jrtapsell, sorry if the question make you confused. — Zinc, May 17 '18 at 12:06
To confirm, you want the differences between running PMA on IIS vs proxying to XAMPP? — jrtapsell, May 20 '18 at 10:25
Yes, you're right. I wanted to know what the main differences and how about the security. @jrtapsell — Zinc, May 22 '18 at 04:56

score 1 · Accepted Answer · answered May 24 '18 at 08:11

Effectively you do not ever want administrative consoles, administrative applications, or insecure applications exposed to untrusted networks such as the Internet.

It is possible to run these web-apps on other internal ports or simply ports that are not accessible to the outside world or other untrusted networks, then access the web-apps via a VPN. This would allow you to VPN to your server to do web-based configuration tasks and/or use the untrusted apps without exposing them to the Internet or untrusted networks.

The concern is that in some cases when you add such web-based administration tools these can be exposed to both the external (untrusted) and internal (trusted) networks at the same time, especially if it's via the same server daemon. So you will want to do a test to confirm this is not the case.

Alternatively, what some people do is run two different webservers on the same system (For example you could run IIS for external apps on ports 80 and 443, then run Apache with another app on a high port such as 32443 which is either blocked by a firewall or run on an internal loopback address such as 127.0.0.1. There are many ways to do this.

Back to your question of relative risk. The system with more code/applications accessible to the untrusted networks will be at greater risk from the untrusted networks. If you are comparing two applications side by side it will be a relative comparison at a given point in time taking into account the security controls in place for each application at it's most current version level.

In a direct comparison of the following two:

1.) ISS + PHP + phpMyAdmin  
2.) ISS + PHP + phpMyAdmin + XAMPP

One would expect the second combination to be likely to have more vulnerabilities at a given point in time because it effectively exposes more attack surface. There are exceptions where added software adds additional security controls but in general this is an easy way to look at your exposed attack surface.

Note: There are many other ways to solve the problem you are trying to solve. You could also look at using tools like mod_security and the use of static IP's with firewall configurations too.

Finally, I have to point out that no matter which way you go you will want to do a lot more to secure this system if it is exposed to the Internet.

How secure IIS run together with XAMPP?

1 Answers1