We help IT Professionals succeed at work.

Protecting the Webserver

ysivaram
ysivaram asked
on
We are running a Windows 2000 IIS 5 Webserver. Our apps are designed using ASP/SQL Server 2000. The server is directly connected to Internet. (No firewalls)

Could anyone recommend some better softwares like firewalls or locks to protects our web server from any potential hackers.
Comment
Watch Question

This all depends greatly on how much protection you need and how much money you have.

The first thing I'd say is to make sure you have all patches installed and that you've configured the machine as per the MS Knowledgebase article on configuring IIS servers (http://www.microsoft.com/technet/security/tools/iis5chk.asp).

Next, consider getting eEye SecureIIS (www.eeye.com).  This product is pretty inexpensive (a few hundred $'s) and protects against buffer overflows, malformed URL attacks, Unicode attacks, and a few other nasties).  If you have a bit more money, you might consider instaed Sanctum AppSheild (www.saanctuminc.com), which also protects against application level attacks (cookie modification, url modification, hidden field modification, etc).

For firewalls consider...
  Free
    - OpenBSD with IPfilter
    - Linux with IPtables
  Inexpensive
    - Netscreen
  Expensive
    - CheckPoint Firewall-1
    - Cisco PIX
Commented:

Well, first of all I think You need a firewall
the choice between a hardware or a software one
depends on how much money You want to invest,
these days anyway You can find lots of Linux
based "blackbox" firewalls which could be the
solution of choice (they're not so expensive)

The next thing You need is lock down Your IIS
server using some tools Microsoft released lately;
the tools are IISLockDown and UrlScan, take a look
at them at these URLs:
 
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/tools/locktool.asp
 
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=32571

Be SURE to READ the accompanying documents BEFORE
installing this tools, but install them since they
can protect Your IIS really well.
 
As a last security measure I suggest You to install some
kind of AntiVirus software and to schedule it to update
itself once a day, I found myself ok with the Trend
products, but You could use any other You like, this
last measure is to avoid having infected files around
on Your server's disk.


Let me know if You need more details.

Bye




Proxy the server out.
Get it behind H/W firewall.
Do not 'share' IIS S/W with any other service - the sql should also be elsewhere.

Check out topic DMZ on Microsoft web - see what is it you can afford to do.

If you/company do not know, then contract it out (there is learning curve to maintaining these things, even if you can afford them) - better safe than sorry

Move your desktops away from the server (subnet)
Linux cost a few hundred, by time you get CD, a handmedown old computer, and some time to install/configure. It is also one of most popular firewalls.

Consider switching to Apache - join the majority. Switch out IIS. You can also switch in to MySql. I think it and apache are both available for NT, and free, and that would allow for an OS switch later, that is not to XP.

Commented:

About an HW and linux based firewall, take a look here:

http://www.watchguard.com/products/firebox.asp

alternatively You could use a proxy, but this will cost
You bucks for the Proxy SW (say e.g. ISA) and for the PC
used to run it, that's why I suggest to take an HW firewall

When You sum costs You'll see it's cheaper

As a last note:

A firewall doesn't guarantee You the absolute security,
if You don't patch Your server (see my prev comment) and
if You use a weak security policy the firewall itself
can't protect You since someone could break through one
of the exposed ports (say HTTP - 80) and bypass the FW.

The firewall is there simply to reduce the exposition of
unwanted services to the internet and to allow You to
expose services on a "local" base onto a DMZ, for example
You could have a SQL Server machine into the DMZ which is
reachable by Your web server (DMZ) but not visible from the
internet.





Hi,

Use your router as firewall and put some acceslist and put some ristricted access and configure that acceslist which will mkae your internal network secure against DOS/DDOS and other mal finction this will be low cost solutions right now or pther thing is you can pur Linux server with IPCHAINS(firewall) which will again give you two layer security for your servers.

Any questions let me know.

thanks

Explore More ContentExplore courses, solutions, and other research materials related to this topic.