Web Server Security
Posted on 2005-04-16
I’m a web application developer of a small company. My company is going to host our own web application in recent months (which we’ve never done before), we are concerning about the security issues that might arise when we have our own website up and running. We do have a network administrator; since his previous title was CEO he has little knowledge in networking. (No offense to CEOs, but he outsource basic tasks like setting up VPN, configuring firewall, and installing exchange server to an outside helper for $75/hr -- on company’s bills.)
So, instead of relying on our network admin, I have to start learning about network security. Here’s some basic info:
What we currently have:
1. T1 line -> router -> pix firewall -> 1 PDC, 6 servers, 50 user desktops
2. No segmentation or DMZ to separate the web server from the current network.
3. The web server is a Windows 2003 Server w/ IIS 6 and SQL Server 2000
1. Since we’re a small company, price does matter. We are talking about a budget around $2,500.
2. No skillful network person who can implement anything that is complicated or difficult.
What we have done to protect web server:
1. Secured the web application to prevent SQL injection and XSS attack
2. Encrypted passwords and cookies
3. Run Microsoft Baseline Security Analyzer and fixed all critical problems.
4. Installed latest security updates and service packs for Window Server and SQL Server.
I would like to get suggestions on the following issues for the web server:
1. Sources to find basic network solutions: books, websites, etc.
2. Simple ways to separate web server from the rest of the network
3. Intrusion detection and prevention
5. Any other security issues that I’m not aware of