Web Server Security

Posted on 2005-04-16
Last Modified: 2013-12-07
I’m a web application developer of a small company. My company is going to host our own web application in recent months (which we’ve never done before), we are concerning about the security issues that might arise when we have our own website up and running. We do have a network administrator; since his previous title was CEO he has little knowledge in networking. (No offense to CEOs, but he outsource basic tasks like setting up VPN, configuring firewall, and installing exchange server to an outside helper for $75/hr -- on company’s bills.)

So, instead of relying on our network admin, I have to start learning about network security. Here’s some basic info:

What we currently have:
1. T1 line -> router -> pix firewall -> 1 PDC, 6 servers, 50 user desktops
2. No segmentation or DMZ to separate the web server from the current network.
3. The web server is a Windows 2003 Server w/ IIS 6 and SQL Server 2000
1. Since we’re a small company, price does matter. We are talking about a budget around $2,500.
2. No skillful network person who can implement anything that is complicated or difficult.

What we have done to protect web server:
1. Secured the web application to prevent SQL injection and XSS attack
2. Encrypted passwords and cookies
3. Run Microsoft Baseline Security Analyzer and fixed all critical problems.
4. Installed latest security updates and service packs for Window Server and SQL Server.

I would like to get suggestions on the following issues for the web server:
1. Sources to find basic network solutions: books, websites, etc.
2. Simple ways to separate web server from the rest of the network
3. Intrusion detection and prevention
4. Antivirus
5. Any other security issues that I’m not aware of

Question by:megkhp
    LVL 12

    Accepted Solution

    I have to appreciate the efforts you are putting to secure the server...Keep it up...Okie my opinions goes here..

    1. Consider setting up a segment which is obviously the DMZ network..then setup your webserver in the DMZ n then make sure your SQl server sits in your internal network..So you can allow only the traffic between web server <----> SQL....
    this can be done without a fortune as you already have a PIX in place....
    2. A good source will be CIS( You can get  tons of information here about Information Security..Another recommendation is can start with Microsoft security as well...
    3. Intrustion detection & Prevention..Although CISCO has got a very good class of IDS/IPS suite considering the limitations i can suggest using the open source product SNORT Very easy to setup and very effective...
    4. AV..You can go for trend micro AV...(My personnal opinion goes againest Norton coz of the resources it consume.)Another option can be "Fortinet" products..They claim they can do everything in a box..I dont have handon exp but few of my friends are using it and they support it..
    5.Mostly I can recommend to be up to date with the latest trends ..Just do google n can get all the stuff you want..or you can subscribe to the mailing list of SANS or Insecure which will keep you updated on the latest trends n threats..
    LVL 10

    Expert Comment

    I agree with srikrishnak's points.... specially point the number 5, that security is not a one-off task, but needs to be watched ongoing.

    One thing worth thinking about is if you want to switch webserver to apache. I' not saying that IIS is particulary insecure, but it has many features that are quite heavily integrated into windows (which is of course an advantage is you need them), and if a new windows-vulnerability comes out it might be exploitable through your webserver. As for the last three years, I have seen much more vulnerabilities on IIS than on apache.

    Again, I'm not saying you're a fool using IIS on the internet... there are many around that do so, and depending on what your webapplication is like you may not have a choice at all, it's just a point worth thinking about  
    LVL 25

    Assisted Solution

    by:Ron M
    Your pix already has a dmz's as simple as slapping in another nic card if you don' t already have one....
    Your other option to separate it from your network is using a will need a managed switch though and bit of technical savy....

    IIS is not the most secure webserver...that is certain....but if you monitor your web daily and have all the necessary updates and security should be fine.  90% of keeping your webserver secure is using your pix to discard ping requests......Out of sight out of mind...If a hacker can't ping it...they usually don't know it's there.

    Consult best practices using IIS:
    LVL 1

    Author Comment

    I agree with Neteducation and Xuserx200 that IIS is definitely more vulnerable than Apache, unfortunately our web applications were written in ASP.NET, which make it complicated if hosted in an Apache webserver, also requires some learning curve for our support staffs.

    Srikrishnak, thanks for the sources and suggestions, I'll look at the options.

    I was doing some googling on the IDS/IPS found that there's this free version of StillSecure Border Guard available for download at :

    "Border Guard Free is a feature-rich intrusion detection/prevention system (IDS/IPS) based on the award-winning SNORT™ IDS engine. Beyond SNORT functionality, Border Guard Free offers:

    -An award winning easy-to-use interface
    -Ability to prioritize and view attacks based upon severity
    -True intrusion prevention capabilities, with the ability to drop individual attack packets upon detection
    -A GUI-driven installation and configuration process"

    Has anyone try this free version before?

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Join & Write a Comment

    Article by: IanTh
    Hi Guys After a whole weekend getting wake on lan over the internet working, I thought I would share the experience. Your firewall has to have a port forward for port 9 udp to your local broadcast x.x.x.255 but if that doesnt work, do it to a …
    Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now