Hi,
I'm a one-person web shop at a small University located in the Southeast US. Our site is built on a RHEL 5.3 using Drupal 6.22 -- we host our own server, and it's been running great for the last 3 years.
We're a small school, and our IT department is outsourced. The contract we have with this company -- wait for it -- offers NO support for our web site! Therefore I'm Web Developer/ Webmaster / System Admin / Security Expert / DBA / etc. for the web. I am not trained in security or system admin and have basically been relying on a RedHat support subscription. However they don't cover the "AMP" part of LAMP, nor security for Drupal, nor anything Drupal, etc.
Well, my site got hacked recently, and one web page was vandalized. The school is now freaking out, and the IT dept is under the gun to provide security and maintenance for the web site. However, they only support Windows servers. I really don't want to go to a Windows server environment, but it may be happening unless I can provide reasons not to.
- Is anyone in Higher Ed using a windows Drupal 6.x deployment succesfully?
- What are the pros/cons of Windows vs. Linux deployment?
- Also, I have considered recommending 3rd party cloud deployment as an alternative to our in-house Linux. Any recommendations there? (Maybe that's not kosher to ask for recommendations. If so, mea culpa in advance).
- Have also considering hiring out an off-site contractor to do the SysAdmin job remotely. Again, any recommendations?
Thanks
Gary Broyhill
Comments
Have you talked to Acquia?
Acquia does this sort of stuff. I don't have any direct personal experience with their service, but it's probably at least worth a phone call/email to them to see if it's a good fit.
-Greg
Similar situation (small), on Windows
I am running our library's website using D6.x on a Windows machine managed by campus IT. I found that I didn't have to hold up website deployment based on server choice because Windows Server 2008 and IIS7 do a pretty good job (in my admittedly limited experience) playing nicely with PHP and MySQL. Live for a year, currently planning migration to D7. Ours is a small, "all-Windows" campus as far as web servers go. Would not have the website up if I was waiting for Linux to be an option.
re: Similar situation (small), on Windows
thanks bmorgan
Drupal Success
Gary,
I work for Acquia, have a number of Drupal social communities, and frequent our local Boston Drupal Group. We currently work with just over 100 Schools and Universities at various different capacities. Most often we provide daily validation of all of your efforts in an unlimited fashion, maintenance, monitoring, hosting and a number of audits around security and performance. I see that you have connected with us in the past just maybe not live. Give me a call directly and I am happy suggest options 978-289-4253. My first goal is to make sure Drupal stays a part of your schools web strategy regardless if we are a fit in this instance. A contact a Babson suggested I reach out after seeing the post. Likely you may have a back door open or some other low hanging fruit in which to close.
Many schools and larger organizations in general are using Windows. We can provide the specific expertise they need given the enterprise use of Windows. Having the extra help makes sense given that the majority of those in the community are using LAMP and therefore its hard for them to provide the deeper expertise. With LAMP its just easier to get help from the majority.
Best,
-John
Thank you Greg for considering us.
Refer a friend to Careers at Blink Reaction and receive $2k
http://www.blinkreaction.com/blog/refer-a-friend
If you don't mind me asking,
If you don't mind me asking, at what level were you hacked? Was it through Drupal? I'm wondering if this was an issue of not setting proper permissions and/or establishing strong password policy.
Good luck! Stick with Drupal!
Site Hack
Still trying to figure out at what level we were hacked. I am guessing it was hacked through Drupal but really not sure. Installed the Hacked module and it pulled up four modules that were hacked, but I don't know enough to go from there. I also have a consultant helping me determine this. (Our IT dept. has not been able to solve it).
hacked module shows changes
hacked module shows changes in modules vs their drupal.org version. its basically a huge diff operation. this isnt telling you something was hacked nessecarily tho if you dont hack core/contrib it could point to someone gaining server level access in order to alter those files. Another good reason to document what modules you change the code of.
Ex Uno Plures
http://elmsln.org/
http://btopro.com/
http://drupal.psu.edu/
re: Hacked module
I do have the Hacked module, thanks. Yeah, this is the first hacked page I've had in 3 years of Drupal (and 15 years of web). Someone also mentioned the "Cracking Drupal" book, which I plan to check.
Outsource the Hosting, Save Yourself the Stress
I outsource my hosting through a company called Omega8, checkout there US site at Omega8.us. They provide high performance and deal with all the security stuff too. I really like the work they do and I think they might provide a very good solution for you. I haven't tried Acquia's hosting.
I haven't really liked the experience of do-it-yourself hosting when, like you, I've already got all the design, development and maintenance of sites to deal with.
re: Outsource the hosting
Another developer recommended Omega8 so I'm checking with them, thanks.
Windows 2008 server AMP stack
We have 3 small sites running under D6 on Windows 2008 Server but we use Apache rather than IIS.
We use the Moodle Cron package to run Drupal's cron.
http://docs.moodle.org/20/en/Cron
One thing is that up until recently Drush didn't play very nice with windows, so you didn't have access to this great tool (there is now a windows installer available http://drush.ws/drush_windows_installer).
Another was that our server installation prevented the server from checking other websites for content (as a security feature) so we had to override that in order to pull content via RSS.
Finally we had to do some tweaks to get the server to use our email system (exchange) there was something to do with allowing email from a web service vs an individual.
Other than that it has been pretty smooth.
a few things to consider..
Regardless of hosting the site yourself, or with someone else, you might consider having https enabled for drupal administration/logins. Cracking Drupal http://crackingdrupal.com/ is a pretty good book to checkout. I've used the security review and thought it had some good stuff in there. Having a third-party scan your site, looking for SQL injection, xss, information discloser (sql errors for example) and open ports. Something like McAfee secure can help with scanning.
-brian
never had drupal hacked.
never had drupal hacked. server yes in a past life. staying on security releases and having a good permission / role policy it isnt an issue.
Ex Uno Plures
http://elmsln.org/
http://btopro.com/
http://drupal.psu.edu/
Linux on Windows
Our university also has a Windows only policy, but since all of my Drupal installs work best under Linux, we have "virtual servers" set up under Windows Server that essentially run Ubuntu in a virtual machine under Windows. So the Windows admins are happy, and I have a setup that is, for all intents and purposes, a Drupal friendly Linux box.
That means that the installs with which I work run Linux (Ubuntu), Apache, MySQL and PHP, have ssh access, run Drupal (6 & 7) seamlessly, and allow updates through Drush command line. And all inside a Windows server VM.
I tried running Drupal directly under Windows IIS, and it was really more trouble than it was worth. I strongly advise against it.