Saturday, January 15, 2005

Hardening Your Web Server

 There are a number of procedures u can typically follow in preparing Web servers to go live on the Internet:
  • Always keep security patches up to date. Applications to check include the server OS, IIS, SQL Server, FrontPage, Office, and SharePoint Team Services. notify customers when u get new security bulletins.
  • Run the Microsoft Baseline Analyzer tool on the server until all patches are complete and other exposures are minimized; then run the IIS Lockdown Tool and URLscan wherever possible.
  • Enforce the use of role-based security and strong passwords on everything and everyone who can change anything on the server.
  • All content sites are housed on a different hard drive than the OS and other key resources. Different customer's sites are housed in separate unrelated directory structures. Disaster and recovery procedures should be in place and in practice for every server.
  • All sample sites and unused sites (like the IIS admin and the default site) are removed or incapacitated. All unused applications and services are removed or disabled.
  • The server is behind a firewall with all ports closed except the ones I use.
  • Use host anonymization software like ServerMask from Port80Software. This hides the server's identity, vendor, and version in the host header from malicious hackers.
  • Proactively test customers' applications to make sure that there are no obvious security holes. In addition to testing their applications from the browser,
    for testing Web application vulnerabilities: GreenBlue Inspector lets me view request and response headers, cookies, and forms input. It also lets me test for buffer overrun vulnerabilities and SQL injection vulnerabilities, two of the most common security failures in Web applications. (See the Resources box at the end of this article and the Toolbox column in this issue.)
  • Always keep a watchful eye on your server's logs.

 Honey Pots and Other System Security Strategies
  The Honeynet Project
  Honeypots Solutions
  Microsoft Security Support

 General Security Tips
  Network Abuse Clearinghouse
  Building and Configuring More Secure Web Sites
  How IIS Authenticates Browser Clients

 Using Host Headers to Set Up a Multihomed Server

 How to Build a Web Development Environment

 Interpreting Your Log Files
  Troubleshoot Kerberos-Related Issues in IIS (Including error codes)

 Useful Tools
  Microsoft Baseline Security Analyzer
  IIS Lockdown Tool with URLscan
  Ecyware GreenBlue Inspector
  Web Server Anonymization and Obfuscation and Other Useful Tools

No comments: