How to secure a web server?

You might want to check out this web site:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html
/secmod104.asp

This has a checklist on how to secure your web server.

Hope this helps!

Thank you,

Jackie Jaynes [MSFT]
Microsoft IIS
JackieJa RemoveThis @online.microsoft.com

Please do not send email directly to this alias. This
is our online account name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use. © 2001 Microsoft Corporation. All rights
reserved.
 >> Stay informed about: How to secure a web server? 

"David Freeman" <no-email.DeleteThis@mailingspam.com> wrote in message
news:OjxB6JesEHA.1308@tk2msftngp13.phx.gbl...
 > Hi There!
 >
 > I'm using Windows Server 2003 with IIS6 for my ASP.NET website.
 >
 > What programs do I need on my server to secure my web server 99%? I've got
 > ZoneAlarm on my web server. However, I'm sure I need much more than just a
 > firewall, to prevent attacks such as Denial of Service, hackers, data
 > theft...etc.
 >
 > So I would like to know if you guys can point me out the security programs
 > that a web server must have?
 >
 > And thinking out of the square, should I install hardware firewall? If so,
 > which are the good ones? Please advice!
 >
 > Many thanks in advance!!
 >
 > David
 >

How To Install and Use the IIS Lockdown Wizard
<a style='text-decoration: underline;' href="http://support.microsoft.com/default.aspx?scid=kb;EN-US;325864" target="_blank">http://support.microsoft.com/default.aspx?scid=kb;EN-US;325864</a><!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: How to secure a web server? 

"Colin Nash [MVP]" <cnash x@x mvps.org> wrote in message
news:e07%23Y2ksEHA.1272@TK2MSFTNGP12.phx.gbl...
 >
  >>
 >
 > How To Install and Use the IIS Lockdown Wizard
<font color=purple> > <a style='text-decoration: underline;' href="http://support.microsoft.com/default.aspx?scid=kb;EN-US;325864</font" target="_blank">http://support.microsoft.com/default.aspx?scid=kb;EN-US;325864</font</a>>
 >

I'm not clear on whether it works on 6.0... kb is a little murky on that and
I've never actually tried it.

Anyway, more info: <a style='text-decoration: underline;' href="http://support.microsoft.com/kb/814874" target="_blank">http://support.microsoft.com/kb/814874</a><!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: How to secure a web server? 

Hi Colin.

The IIS Lockdown tool is not needed on Windows 2003 with IIS6.0 and I am not
sure whether it will even run. URLscan can still be used on IIS6.0 though
IIS6.0 is much hardened by default compared to erlier versions of IIS. The
link below explains more on this. It is getting harder to keep track of all
the various operating systems and applications! --- Steve

<a style='text-decoration: underline;' href="http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/all/deployguide/en-us/iisdg_mei_nsjz.asp" target="_blank">http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/...loyguid</a>

"Colin Nash [MVP]" <cnash x@x mvps.org> wrote in message
news:ubF8M4ksEHA.1220@TK2MSFTNGP10.phx.gbl...
 >
 > "Colin Nash [MVP]" <cnash x@x mvps.org> wrote in message
 > news:e07%23Y2ksEHA.1272@TK2MSFTNGP12.phx.gbl...
  >>
   >>>
  >>
  >> How To Install and Use the IIS Lockdown Wizard
<font color=green>  >> <a style='text-decoration: underline;' href="http://support.microsoft.com/default.aspx?scid=kb;EN-US;325864</font" target="_blank">http://support.microsoft.com/default.aspx?scid=kb;EN-US;325864</font</a>>
  >>
 >
 > I'm not clear on whether it works on 6.0... kb is a little murky on that
 > and I've never actually tried it.
 >
<font color=purple> > Anyway, more info: <a style='text-decoration: underline;' href="http://support.microsoft.com/kb/814874</font" target="_blank">http://support.microsoft.com/kb/814874</font</a>>
 ><!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: How to secure a web server? 

Whilst some have made recommendations with regard to software you can use
(ISA Server, URLScan), you need to remember that security is not "a product"
you install, but a process.

Security involves evaluating threats, and working out what the consequences
are to you and what the likelihood of them occuring is, and whether it makes
sense to take the time and money to stop/mitigate the threat. Security is
often described as "a journey not a destination - there is no such thing as
the perfectly secure system".

For information on best practise security options, check the Windows 2003
and IIS security centres here:
<a style='text-decoration: underline;' href="http://www.microsoft.com/technet/security/default.mspx" target="_blank">http://www.microsoft.com/technet/security/default.mspx</a>

But remember, installing a firewall doesn't help you if you don't patch you
server and someone discovers a buffer overflow in IIS. A firewall doesn't
help if you have a weak password, and you allow terminal services through
your firewall. Firewall doesn't help if someone comes and steals your box
(etc, etc, etc). There is a lot more to "security" than just installing some
software.

Cheers
Ken


"David Freeman" <no-email.DeleteThis@mailingspam.com> wrote in message
news:OjxB6JesEHA.1308@tk2msftngp13.phx.gbl...
 > Hi There!
 >
 > I'm using Windows Server 2003 with IIS6 for my ASP.NET website.
 >
 > What programs do I need on my server to secure my web server 99%? I've got
 > ZoneAlarm on my web server. However, I'm sure I need much more than just a
 > firewall, to prevent attacks such as Denial of Service, hackers, data
 > theft...etc.
 >
 > So I would like to know if you guys can point me out the security programs
 > that a web server must have?
 >
 > And thinking out of the square, should I install hardware firewall? If so,
 > which are the good ones? Please advice!
 >
 > Many thanks in advance!!
 >
 > David
 ><!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: How to secure a web server? 

All prior comment in stride, and not intending to discount,
may I add two ideas/opinions:
1. ditch the ZA, use the W2k3 provided or IPsec as a filter
if you feel you need another layer after your hw firewall
or your proxy. Besides, in my experience on dev IIS client
machine, ZA post 5.x kills convenient use of http
2. look at the best practices for Asp.Net - its design/authoring
and its admin. Your biggest threat is a bad Asp.Net app.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"David Freeman" <no-email.TakeThisOut@mailingspam.com> wrote in message
news:OjxB6JesEHA.1308@tk2msftngp13.phx.gbl...
 > Hi There!
 >
 > I'm using Windows Server 2003 with IIS6 for my ASP.NET website.
 >
 > What programs do I need on my server to secure my web server 99%? I've got
 > ZoneAlarm on my web server. However, I'm sure I need much more than just a
 > firewall, to prevent attacks such as Denial of Service, hackers, data
 > theft...etc.
 >
 > So I would like to know if you guys can point me out the security programs
 > that a web server must have?
 >
 > And thinking out of the square, should I install hardware firewall? If so,
 > which are the good ones? Please advice!
 >
 > Many thanks in advance!!
 >
 > David
 >
 ><!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: How to secure a web server? 

i would really recommend reading the "Improving Web Application
Security-Threats and Countermeasures" beast practices guide from Microsoft

"David Freeman" wrote:

 > Hi There!
 >
 > I'm using Windows Server 2003 with IIS6 for my ASP.NET website.
 >
 > What programs do I need on my server to secure my web server 99%? I've got
 > ZoneAlarm on my web server. However, I'm sure I need much more than just a
 > firewall, to prevent attacks such as Denial of Service, hackers, data
 > theft...etc.
 >
 > So I would like to know if you guys can point me out the security programs
 > that a web server must have?
 >
 > And thinking out of the square, should I install hardware firewall? If so,
 > which are the good ones? Please advice!
 >
 > Many thanks in advance!!
 >
 > David
 >
 >
 ><!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: How to secure a web server?