[Last Call] Learn how to a build a cloud-first strategyRegister Now


Web Server Security

Posted on 2005-04-16
Medium Priority
Last Modified: 2013-12-07
I’m a web application developer of a small company. My company is going to host our own web application in recent months (which we’ve never done before), we are concerning about the security issues that might arise when we have our own website up and running. We do have a network administrator; since his previous title was CEO he has little knowledge in networking. (No offense to CEOs, but he outsource basic tasks like setting up VPN, configuring firewall, and installing exchange server to an outside helper for $75/hr -- on company’s bills.)

So, instead of relying on our network admin, I have to start learning about network security. Here’s some basic info:

What we currently have:
1. T1 line -> router -> pix firewall -> 1 PDC, 6 servers, 50 user desktops
2. No segmentation or DMZ to separate the web server from the current network.
3. The web server is a Windows 2003 Server w/ IIS 6 and SQL Server 2000
1. Since we’re a small company, price does matter. We are talking about a budget around $2,500.
2. No skillful network person who can implement anything that is complicated or difficult.

What we have done to protect web server:
1. Secured the web application to prevent SQL injection and XSS attack
2. Encrypted passwords and cookies
3. Run Microsoft Baseline Security Analyzer and fixed all critical problems.
4. Installed latest security updates and service packs for Window Server and SQL Server.

I would like to get suggestions on the following issues for the web server:
1. Sources to find basic network solutions: books, websites, etc.
2. Simple ways to separate web server from the rest of the network
3. Intrusion detection and prevention
4. Antivirus
5. Any other security issues that I’m not aware of

Question by:megkhp
LVL 12

Accepted Solution

srikrishnak earned 1800 total points
ID: 13800143
I have to appreciate the efforts you are putting to secure the server...Keep it up...Okie my opinions goes here..

1. Consider setting up a segment which is obviously the DMZ network..then setup your webserver in the DMZ n then make sure your SQl server sits in your internal network..So you can allow only the traffic between web server <----> SQL....
this can be done without a fortune as you already have a PIX in place....
2. A good source will be CIS(http://www.cisecurity.org/). You can get  tons of information here about Information Security..Another recommendation is www.cert.org...You can start with Microsoft security as well...
3. Intrustion detection & Prevention..Although CISCO has got a very good class of IDS/IPS suite considering the limitations i can suggest using the open source product SNORT www.snort.org. Very easy to setup and very effective...
4. AV..You can go for trend micro AV...(My personnal opinion goes againest Norton coz of the resources it consume.)Another option can be "Fortinet" products..They claim they can do everything in a box..I dont have handon exp but few of my friends are using it and they support it..
5.Mostly I can recommend to be up to date with the latest trends ..Just do google n can get all the stuff you want..or you can subscribe to the mailing list of SANS or Insecure which will keep you updated on the latest trends n threats..
LVL 10

Expert Comment

ID: 13800298
I agree with srikrishnak's points.... specially point the number 5, that security is not a one-off task, but needs to be watched ongoing.

One thing worth thinking about is if you want to switch webserver to apache. I' not saying that IIS is particulary insecure, but it has many features that are quite heavily integrated into windows (which is of course an advantage is you need them), and if a new windows-vulnerability comes out it might be exploitable through your webserver. As for the last three years, I have seen much more vulnerabilities on IIS than on apache.

Again, I'm not saying you're a fool using IIS on the internet... there are many around that do so, and depending on what your webapplication is like you may not have a choice at all, it's just a point worth thinking about  
LVL 25

Assisted Solution

by:Ron Malmstead
Ron Malmstead earned 200 total points
ID: 13803777
Your pix already has a dmz option......it's as simple as slapping in another nic card if you don' t already have one....
Your other option to separate it from your network is using a vlan...you will need a managed switch though and bit of technical savy....

IIS is not the most secure webserver...that is certain....but if you monitor your web daily and have all the necessary updates and security settings...you should be fine.  90% of keeping your webserver secure is using your pix to discard ping requests......Out of sight out of mind...If a hacker can't ping it...they usually don't know it's there.

Consult best practices using IIS: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/openhack.asp

Author Comment

ID: 13809772
I agree with Neteducation and Xuserx200 that IIS is definitely more vulnerable than Apache, unfortunately our web applications were written in ASP.NET, which make it complicated if hosted in an Apache webserver, also requires some learning curve for our support staffs.

Srikrishnak, thanks for the sources and suggestions, I'll look at the options.

I was doing some googling on the IDS/IPS found that there's this free version of StillSecure Border Guard available for download at https://www.stillsecure.org :

"Border Guard Free is a feature-rich intrusion detection/prevention system (IDS/IPS) based on the award-winning SNORT™ IDS engine. Beyond SNORT functionality, Border Guard Free offers:

-An award winning easy-to-use interface
-Ability to prioritize and view attacks based upon severity
-True intrusion prevention capabilities, with the ability to drop individual attack packets upon detection
-A GUI-driven installation and configuration process"

Has anyone try this free version before?

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question