Ongoing web server security?
I am currently building a webserver for a project which consists of 3 computers, 1 which has windows 2003 with IIS installed, another with windows 2003 installed with active directory and DNS and another installed with windows 2003 and ISA server. We have secured all systems by blocking unessecary ports and applying SSL and all that mumbo jumbo. Now we have to document the ongoing security monitoring of these servers and I was just wondering if any of you had any suggestions on what ways i could monitor the security on these systems.
Re: Ongoing web server security?
Quote:
Originally posted here by balls_okeeffe
Now we have to document the ongoing security monitoring of these servers and I was just wondering if any of you had any suggestions on what ways i could monitor the security on these systems.
IMO the two simplest and best things you can do are to subscribe to focus-ms@securityfocus.com and READ IT, and make the servers' event logs your morning paper. Nothing beats staying in touch with the servers on a frequent basis. If you are not restricted to just the stuff that comes with the operating system, an intrusion detection system is certainly an idea to consider.
Are you doing this as a school project, or is it work-related?
Either way, some questions to consider:
Are you only in charge of handling the webserver, or are you working on all aspects of this?
How much time per week are you able to spend monitoring the systems?
How much of a budget is there for software like intrusion detection systems, etc.?
How many other boxes will be residing on the same physical network as these servers?
What is the relative threat/risk of an in-person attempt to break the security of the box?
What is the likelihood you will be specifically targeted and attacked (ie: Industrial espionage)?
How many hours per day will there be staff present and capable of reacting to one form of attack or other, or conversely, how many hours per day are the boxes going to be left on their own?
How many "local" untrusted networks (sitting behind your border firewall, but may be open for use by unknown users, like wireless networks, or demonstration networks) are there?
How often are you able to schedule downtime for maintenance?
How easygoing are your superiors when it comes to unscheduled downtime (such as the quick release of Sasser may have required)?
Obviously the answers you give to those questions will be answers to yourself about your needs. Once you answer the questions, you will have a clear idea of what additional steps you will want to take on an ongoing basis.