Web Server Security
Hello experts,
I am looking for assistance dealing with hacking web servers. I administer a web server and our on-site security expert showed me a list of items he was able to gain access to on my server. However, he would not tell me what tool he used to hack into my server.
My concern is this, if he can hack into the server so can anyone else - is there a list of do's and don'ts for web server security.
I am running a domino server configuration with Sametime running on top of it. I am also fairly new at web servers and am learning that there is more to securing databases than ACL's. If anyone can assist with specific information or publications (i.e. ebooks preferred!) I am willing to consider upping the point value.
Thanks in advance.
I am looking for assistance dealing with hacking web servers. I administer a web server and our on-site security expert showed me a list of items he was able to gain access to on my server. However, he would not tell me what tool he used to hack into my server.
My concern is this, if he can hack into the server so can anyone else - is there a list of do's and don'ts for web server security.
I am running a domino server configuration with Sametime running on top of it. I am also fairly new at web servers and am learning that there is more to securing databases than ACL's. If anyone can assist with specific information or publications (i.e. ebooks preferred!) I am willing to consider upping the point value.
Thanks in advance.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Fisrt off if your security expert will not tell you what tools he used I would concider another expert.
Second get gfi-languard nessus or n-stalker are all good programs.
Second get gfi-languard nessus or n-stalker are all good programs.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
> .. your web applications (any software actually) is up to date with the current stable releases and patches.
No, this is not what I meant. It's a precondition for anything else.
I meant that teach application (written in asp, jsp, perl, PHP, whatever) has to do propper sanity checks!
Also keep in mind that "application scanners" are totally different to "network/port scanners". There are some products which use both worlds, like nessus, but for a secure web server you should insist on specialized application scanners (ports 80, 443 only).
No, this is not what I meant. It's a precondition for anything else.
I meant that teach application (written in asp, jsp, perl, PHP, whatever) has to do propper sanity checks!
Also keep in mind that "application scanners" are totally different to "network/port scanners". There are some products which use both worlds, like nessus, but for a secure web server you should insist on specialized application scanners (ports 80, 443 only).
ASKER
Thank you all for your responses... I now have some guidelines to assist me with security policies on my web server.
Currently, my application is internal only (i.e. intranet) my concern is I've recently been told that it may be going external (internet) to allow access by other users.
I've decided to up the points to 300 and split them between the 3 of you.
Thanks again for the assistance.
Currently, my application is internal only (i.e. intranet) my concern is I've recently been told that it may be going external (internet) to allow access by other users.
I've decided to up the points to 300 and split them between the 3 of you.
Thanks again for the assistance.
ASKER
This is to increase the points - now I have to figure out how to split them - sorry to be a pain - first time awarding points and trying to split them up.
ASKER
Thank you for the web link to the nessus site - The tasks running on the server have already been tightened (running Windows Server 2003 OS).
I appreciate your guidance and quick response - as for best practices - there is a ton of information for domino server and due to its' abilities there is a lot of information to sift through. Sametime info will refer you back to the domino best practices since Sametime is running on top of the domino.