-
May 10th, 2004, 03:41 PM
#1
Junior Member
Ongoing web server security?
I am currently building a webserver for a project which consists of 3 computers, 1 which has windows 2003 with IIS installed, another with windows 2003 installed with active directory and DNS and another installed with windows 2003 and ISA server. We have secured all systems by blocking unessecary ports and applying SSL and all that mumbo jumbo. Now we have to document the ongoing security monitoring of these servers and I was just wondering if any of you had any suggestions on what ways i could monitor the security on these systems.
-
May 10th, 2004, 03:47 PM
#2
Junior Member
might be miss understanding you but either a host intrusion detection system or a network intrusion system comes to mind depending on how much you whant to log and what.
-
May 10th, 2004, 04:00 PM
#3
Although you are using 2003, I recommend to read all documents about hardening IIS.
Also, I wouldnt recommend that DNS server runs AD services. Im assuming that both (DNS and IIS) are behind ISA, but still... if it is possible, segregate them (DNS from AD) - but dont put DNS on IIS server.
Meu sÃtio
FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
If I die before I sleep, I pray the Lord my soul to encrypt. If I die before I wake, I pray the Lord my soul to brake.
-
May 10th, 2004, 04:08 PM
#4
Junior Member
DNS isnt on the IIS server, it is on the AD server. And di0strb, what are some free IDS software out there? I have looked around for some but they are generally useless.
-
May 10th, 2004, 04:29 PM
#5
Go get you a cheap box and put a couple of nics in it. Then just load up snort listening on each nic and hook them up before and after your main router or firewall.
You could then load Ntop on it so you could see all your bandwidth percentages (very nice program check it out).
Then if you want you could run etherape so you could see a visual blueprint of your network and all its connections (not that handy, but looks really good on a noc.)
Finally, you could have ethereal running on the back nic and it would examine all your activity at a packet level.
Heck, if you don't have a firewall up then you could set up iptables as well and add some rules to it.
This box could be a 100 mhz POS. Just put slackware on it and load just the programs you need and disable all the servers on it. Just a cheap idea that would run independent of your other servers and wouldn't take a stab at your wallet (most schools and businessess throw theses away).
You shall no longer take things at second or third hand,
nor look through the eyes of the dead...You shall listen to all
sides and filter them for your self.
-Walt Whitman-
-
May 10th, 2004, 04:50 PM
#6
I don't mean to be picky but:
just doesn't sound good..... Securing the server by blocking uneccesary ports is one thing but if you aren't patching the available services the firewall might as well not be there. I am also concerned about an AD controller in the mix.
Can you give some more detail about what you are trying to acheive, how your architecture will look etc. so I better understand your aim and approach. There might be a much simpler, (which is therefore more secure), approach.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
May 10th, 2004, 08:17 PM
#7
Re: Ongoing web server security?
Originally posted here by balls_okeeffe
Now we have to document the ongoing security monitoring of these servers and I was just wondering if any of you had any suggestions on what ways i could monitor the security on these systems.
IMO the two simplest and best things you can do are to subscribe to focus-ms@securityfocus.com and READ IT, and make the servers' event logs your morning paper. Nothing beats staying in touch with the servers on a frequent basis. If you are not restricted to just the stuff that comes with the operating system, an intrusion detection system is certainly an idea to consider.
Are you doing this as a school project, or is it work-related?
Either way, some questions to consider:
Are you only in charge of handling the webserver, or are you working on all aspects of this?
How much time per week are you able to spend monitoring the systems?
How much of a budget is there for software like intrusion detection systems, etc.?
How many other boxes will be residing on the same physical network as these servers?
What is the relative threat/risk of an in-person attempt to break the security of the box?
What is the likelihood you will be specifically targeted and attacked (ie: Industrial espionage)?
How many hours per day will there be staff present and capable of reacting to one form of attack or other, or conversely, how many hours per day are the boxes going to be left on their own?
How many "local" untrusted networks (sitting behind your border firewall, but may be open for use by unknown users, like wireless networks, or demonstration networks) are there?
How often are you able to schedule downtime for maintenance?
How easygoing are your superiors when it comes to unscheduled downtime (such as the quick release of Sasser may have required)?
Obviously the answers you give to those questions will be answers to yourself about your needs. Once you answer the questions, you will have a clear idea of what additional steps you will want to take on an ongoing basis.
Chris Shepherd
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?
-
May 11th, 2004, 01:01 PM
#8
Once you've correctly setup ISA, enabled SSL, hardened your IIS, setup IDS etc.
There's one thing a lot of people seem to overlook: Audit the webcode!
You won't be the first that got 0wn3d because some dipshit developer created a great looking website that had more holes then swiss cheese.
I also recommened placing the IIS server on it's own segment (create a DMZ; which means you'll need at least 3 nic's in the ISA server). That way if the bad guys somehow got into your webserver they still need to bypass ISA to get onto your internal network.
And one more note, I suggest investing in a hardware firewall. I know MS is pushing ISA as a proxy and firewall combination but I'll never ever use it as a firewall. The reason I'm not using it is because ISA doesn't do anything to harden the tcp/ip stack of windows.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
May 11th, 2004, 02:34 PM
#9
Junior Member
Can you give some more detail about what you are trying to acheive, how your architecture will look etc. so I better understand your aim and approach. There might be a much simpler, (which is therefore more secure), approach.
The network consists of several servers, each with a specific role within the sites local network.
The web server, as the name suggests, is primarily concerned with the sites web service which contains e-commerce components, and also stores client/customer details locally on the server into a database.
The operating system consists of Microsoft Windows 2003 Server Web Edition running IIS 6.0. IIS 6.0 installs in a highly secure state, serving only static HTML content until other features and file types (such as ASP and ISAPI) are enabled
The Internet Security and Acceleration Server (ISA) is the sites firewall and only link to the outside world. The operating system consists of Microsoft Windows 2003 Server running ISA 2003.
All current updates/patches/hot fixes for all software including IIS, ISA, Active Directory and all Windows 2003 versions have been installed.
All Servers are currently stationed in a secure facility, on there own internal network. There are no other client or servers on the internal network and the only outside link to the internet resides through the ISA Server (firewall).
What i'm trying to achieve here is once all the security is in place, I need to document a way to monitor the ongoing security of the site. I dont actually have to perform anything I just need to document it in a report. Any suggestions?
-
May 11th, 2004, 02:38 PM
#10
Pick a vulnerability scanner, Retina by eEye is my favorite.
Define and document why you selected it.
Define and document how and when to scan.
Define and document how and when to update the scanner.
Define and document how to verify that it was used correctly and that it is up to date, both that it is the most current library and that the vendor is up to date.
Define and document how vulnerability reports should be formatted and what they should contain.
Define and document what is to be done in the event a scan discovers whatever type of errors it may discover.
Define and document what is audited and why.
Define and document how and when the logs are to be reviewed.
Define and document specific actions to be taken in the event that the logs reveal any number of entry types.
Define and document how all this documentation is to be developed.
Define and document all relevant asset values and the annual costs of existing counter measures, this will help in selecting new counter measures as issues arise.
Define and document all relevant business roles so that the disaster recovery/business continuity people will have a document to refer to
Define and document all relevant key roles and or personal.
Define and document what level this documentation is, who can override, alter, etc.
Hope this helps.
catch
PS. Adding Linux systems as someone else said is a horrible idea, whatever costs you may think you are saving quickly vanish as the operating costs for supporting a whole new platform are calculated in.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|