Secure your Web server

So here's the deal: Clearly you want to put your company onto the Internet in the best way possible, so customers and partners can get information they need to do business with you. At the same time, you want to make sure that you don't give away the whole ranch by letting anyone on the Web wander all over your server, finding whatever he might choose.

When implementing a Web server, certain basic guidelines should be followed to protect against security breaches. A Web server allows users to download designated files and run CGI scripts, Active Server Pages and server-side applets that are accessible to it. For this reason, the server should not be able to access sensitive files that contain proprietary company information or files pertinent to system security.

Limit the Web server to a specific directory subtree, and specifically dedicate a system to Web server duties (Windows 2000 uses %SystemRoot%Inetpubwwwroot). Also, make sure that Web sites with password security do not place the password security file in a directory the server can read. The Web server should run as a very underprivileged user to limit its own access, with a privilege level just enough to perform required functions. It should have a firewall between it and the internal network, and no internal host should trust it through Windows 2000 domain trust relationships.

Because the Web server is permitted to run local components, all scripts, applets and active components should be analyzed for unintended uses. Remember: These scripts can be run with freely chosen parameters from the outside, so any service that allows users to download scripts to the server should be carefully scrutinized. FTP users should not be able to download to the Web server's file system area. In fact, almost all services should be disabled on the Web server except for HTTP.

To read the whole article from which this tip comes, click over to InformIT. You have to register there, but the registration is free.