- Always keep security patches up to date. Applications to check include the server OS, IIS, SQL Server, FrontPage, Office, and SharePoint Team Services. notify customers when u get new security bulletins.
- Run the Microsoft Baseline Analyzer tool on the server until all patches are complete and other exposures are minimized; then run the IIS Lockdown Tool and URLscan wherever possible.
- Enforce the use of role-based security and strong passwords on everything and everyone who can change anything on the server.
- All content sites are housed on a different hard drive than the OS and other key resources. Different customer's sites are housed in separate unrelated directory structures. Disaster and recovery procedures should be in place and in practice for every server.
- All sample sites and unused sites (like the IIS admin and the default site) are removed or incapacitated. All unused applications and services are removed or disabled.
- The server is behind a firewall with all ports closed except the ones I use.
- Use host anonymization software like ServerMask from Port80Software. This hides the server's identity, vendor, and version in the host header from malicious hackers.
- Proactively test customers' applications to make sure that there are no obvious security holes. In addition to testing their applications from the browser,
for testing Web application vulnerabilities: GreenBlue Inspector lets me view request and response headers, cookies, and forms input. It also lets me test for buffer overrun vulnerabilities and SQL injection vulnerabilities, two of the most common security failures in Web applications. (See the Resources box at the end of this article and the Toolbox column in this issue.) - Always keep a watchful eye on your server's logs.
Resources
Honey Pots and Other System Security Strategies
The Honeynet Project
Honeypots Solutions
snort_inline
Microsoft Security Support
General Security Tips
Network Abuse Clearinghouse
Building and Configuring More Secure Web Sites
How IIS Authenticates Browser Clients
Using Host Headers to Set Up a Multihomed Server
www.winnetmag.com/Article/ArticleID/7176
How to Build a Web Development Environment
www.winnetmag.com/Article/ArticleID/7403
Interpreting Your Log Files
Troubleshoot Kerberos-Related Issues in IIS (Including error codes)
Useful Tools
Microsoft Baseline Security Analyzer
IIS Lockdown Tool with URLscan
Ecyware GreenBlue Inspector
Web Server Anonymization and Obfuscation and Other Useful Tools
No comments:
Post a Comment