We are currently running MOSS 2007 internally, and have been doing so for about 12 months with no major issues.
There has now been a request from management to provide access from the internet for small groups (initially) which are comprised of members from other Community Organisations like ours. Committees and the like.
My first reaction was not joy when presented with this request, however I'd like to make sure the apprehension is warranted.
I have read a few docs on TechNet about security hardening with regard to SharePoint, but I'm interested to know what others have done.
I've spoken with another organisation who has already implemented something similar, and they have essentially port-forwarded from the internet to their internal production MOSS server. I don't really like the sound of this. Is it adviseable/necessary to run a DMZ type configuration, with a separate web front-end on a contained network segment? Does that even offer me any greater security than their setup? Some of the configurations from a TechNet doc aren't really feasible, given our current network budget. I've already made my concerns known to management, but it appears it will go ahead in some form or another.
I'm tempted to run a completely isolated, seperate install just for these types of users.
Should I even be concerned about it?
Any thoughts, comments would be most welcomed at this point.
Assuming these organizations have static IP addresses, you could tighten up your port forwarding rules to only permit extranet access from those IP addresses. I'm not sure if Sharepoint plays well in a DMZ role as the backend integration with Active Directory would require you to poke a few holes back into your LAN for it to function. Perhaps someone with more Sharepoint in a DMZ setup experience can chime in.
EDIT
Did some digging and found Microsoft's extranet planning tool (with a nice/clear Visio diagram) that should hopefully address your concerns and give you an idea of what you can/should do: http://technet.microsoft.com/en-us/library/cc262834.aspx
You could set up a UAG Server and give them restricted AD accounts and lock down your SharePoint site.
If memory serves, an IAS server on your DMZ would keep you from poking extra holes for authentication.
Your concern is warranted, and if this is the organization's first foray into exposing internal systems to the Internet, they're likely not prepared for the additional complexity...but that strays from how far technical knowhow will get you...