Securing a web server but allowing developers access

Question

We have a web server in the DMZ that has open access to the Internet (of course) and RDP access to our internal network via an internal Firewall. Our web developers (who use many different tools including Visual Studio) require the ability to 'publish' content changes and new projects to particular folders on the web server. This ability requires a drive to be mapped to the server you are publishing to.

The problem is, our network team refuses to open up NTFS access to the server internally. I somewhat agree with them - there is no way to limit NTFS access by port number. It simply doesn't exist as an option I am aware of.

So our question becomes - other companies must have this need to secure traffic coming to and from the web server from the internal network. How does one allow mapped drives to a web server in a DMZ without openening up the web server completely?

Thanks

Answer 1

CIFS normally runs on one of several ports: TCP 445, 137, 139; UDP 137, 138. Your firewall team ought to be able to poke holes through for these specific ports to specific internal hosts that should have privilege to update the live webserver.

If it is a "real" DMZ with separate firewalls on both sides of the hosts, it should be easy to modify both the firewalls and the web server's host firewall to allow the accesses. If the DMZ is "faked" a bit with a single firewall, it is still possible to allow the access from only internal hosts on both the firewall and the server's host firewall, but I could understand the reticence to trust so much to a single firewall.