securing Windows 2003 web server

I have a windows 2003 server and i am about to host a website on that server. this is a dedicated server and i would like to make sure i am safe and secured. What are the main things i should concentrate on...?
Like
1) Firewall
2)Antivirus
3)web application security tester etc. (like to know how this works)

Please provide me with the links of the good products FREE/paid,

I really welcome any expert advice on this.
LVL 12
str_kaniAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

TheCleanerCommented:
With Windows 2003, I would load SP1, get the server where you want it (IIS installed, website installed, etc.) then run the SCW (security configuration wizard) which you'll have to install from add/remove programs, Windows components.

This will "lock down" the server to only the essentials that you specify during the wizard (be careful and know what you are picking).  This greatly minimizes the "footprint" of the server and any exploits that could happen.

Firewall - only publish the ports necessary for your website to function

Antivirus - a simple on-access scanner should be sufficient

Web Application tester - Imperva is the leader in this one www.imperva.com


My advice is to also post here the "technologies" your website will use, like ASP, java, flash, SQL database backend, PHP, etc. and then experts can tell you other things to look for on those technologies.
0
str_kaniAuthor Commented:
thanks cleaner! :) can you please direct me to a on access scanner page? (a URL)

My site user PHP, MySQL and Flash.
0
TheCleanerCommented:
http://validator.w3.org/ - that will validate your code to standards

http://www.acunetix.com/ - web app vulnerability tester  (most of these aren't free anymore anywhere)

PHP - http://seclists.org/lists/fulldisclosure/2005/Jan/0552.html

MySQL - http://www.appsecinc.com/products/appdetective/mysql/  (also the Acunetix one above will scan for SQL injection vulnerabilities etc)
0
str_kaniAuthor Commented:
Is there any simple and still free security scanners?
0
TheCleanerCommented:
Yes...

You can use Nmap found here:  http://www.insecure.org/

I also recommend Qualys' site:  http://www.qualys.com/

click on Free Tools on the right and you'll get to scan for the Top 20 SANS, etc.  You'll need to use a legitimate email address though, since the SCAN url is sent to you.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.