How to secure a web server?

Discussion in 'Server Security' started by David Freeman, Oct 14, 2004.

  1. Hi There!

    I'm using Windows Server 2003 with IIS6 for my ASP.NET website.

    What programs do I need on my server to secure my web server 99%? I've got
    ZoneAlarm on my web server. However, I'm sure I need much more than just a
    firewall, to prevent attacks such as Denial of Service, hackers, data

    So I would like to know if you guys can point me out the security programs
    that a web server must have?

    And thinking out of the square, should I install hardware firewall? If so,
    which are the good ones? Please advice!

    Many thanks in advance!!

    David Freeman, Oct 14, 2004
    1. Advertisements

  2. If you are serious about securing the web server, you should consider a
    professional firewall/proxy combination, such as ISA Server. If you want to
    find out more about ISA, check here:
    Arek Iskra [MVP], Oct 14, 2004
    1. Advertisements

  3. How To Install and Use the IIS Lockdown Wizard;EN-US;325864
    Colin Nash [MVP], Oct 15, 2004
  4. Colin Nash [MVP], Oct 15, 2004
  5. Hi Colin.

    The IIS Lockdown tool is not needed on Windows 2003 with IIS6.0 and I am not
    sure whether it will even run. URLscan can still be used on IIS6.0 though
    IIS6.0 is much hardened by default compared to erlier versions of IIS. The
    link below explains more on this. It is getting harder to keep track of all
    the various operating systems and applications! --- Steve
    Steven L Umbach, Oct 15, 2004
  6. David Freeman

    Ken Schaefer Guest

    Whilst some have made recommendations with regard to software you can use
    (ISA Server, URLScan), you need to remember that security is not "a product"
    you install, but a process.

    Security involves evaluating threats, and working out what the consequences
    are to you and what the likelihood of them occuring is, and whether it makes
    sense to take the time and money to stop/mitigate the threat. Security is
    often described as "a journey not a destination - there is no such thing as
    the perfectly secure system".

    For information on best practise security options, check the Windows 2003
    and IIS security centres here:

    But remember, installing a firewall doesn't help you if you don't patch you
    server and someone discovers a buffer overflow in IIS. A firewall doesn't
    help if you have a weak password, and you allow terminal services through
    your firewall. Firewall doesn't help if someone comes and steals your box
    (etc, etc, etc). There is a lot more to "security" than just installing some

    Ken Schaefer, Oct 15, 2004
  7. David Freeman

    Roger Abell Guest

    All prior comment in stride, and not intending to discount,
    may I add two ideas/opinions:
    1. ditch the ZA, use the W2k3 provided or IPsec as a filter
    if you feel you need another layer after your hw firewall
    or your proxy. Besides, in my experience on dev IIS client
    machine, ZA post 5.x kills convenient use of http
    2. look at the best practices for Asp.Net - its design/authoring
    and its admin. Your biggest threat is a bad Asp.Net app.
    Roger Abell, Oct 16, 2004
  8. David Freeman

    MohammadSH Guest

    i would really recommend reading the "Improving Web Application
    Security-Threats and Countermeasures" beast practices guide from Microsoft
    MohammadSH, Oct 16, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.