Improving Web Application Security: Threats and - CGISecurity

Chapter 16: Securing Your Web Server 471Additionally, subscribe to the industry security alert services shown in Table 16.6.This allows you to assess the threat of a vulnerability where a patch is not yetavailable.Table 16.6 Industry Security Notification ServicesServiceLocationCERT Advisory http://www.cert.org/contact_cert/certmaillist.htmlMailing ListInformative advisories are sent when vulnerabilities are reported.Windows and .NETMagazine SecurityUPDATEhttp://email.winnetmag.com/winnetmag/winnetmag_prefctr.aspAnnounces the latest security breaches and identifies fixes.NTBugtraq http://www.ntbugtraq.com/default.asp?pid=31&sid=1 - 020This is an open discussion of Windows security vulnerabilities and exploits.Vulnerabilities which currently have no patch are discussed.Remote AdministrationAdministrators often need to be able to administer multiple servers. Make sure therequirements of your remote administration solution do not compromise security. Ifyou need remote administration capabilities, then the following recommendationshelp improve security:● Restrict the number of administration accounts. This includes restricting thenumber of administration accounts as well as restricting which accounts areallowed to log on remotely.● Restrict the tools. The main options include Internet Services Manager andTerminal Services. Another option is Web administration (using the IISAdminvirtual directory), but this is not recommended and this option is removed byIISLockdown.exe. Both Internet Services Manager and Terminal Services useWindows security. The main considerations here are restricting the Windowsaccounts and the ports you use.● Restrict the computers that are allowed to administer the server. IPSec can beused to restrict which computers can connect to your Web server.