Securing the Web site
Protecting a Web server is the ultimate security job. There is a fascinating array of technology, design, philosophy and personality embedded in a Web site. There is no "one size fits all." The purpose of a site varies, from intranet to e-commerce and from simple Web presence to business-to-business. Every day brings new challenges and opportunities for disaster or ecstasy. On the roller coaster that is Web security, many elements add to the risk and thus the adventure. The following are some of the problems faced:
- The location of the Web server is advertised.
- Services and protocols in use have been around for a while, and specialized attacks exist.
- New services, protocols and applications create new security holes and problems.
- There are more areas to configure, and more things can go wrong.
- Some organizations live dangerously: They have the attitude that placing the Web server behind a firewall is all the security you need. (A more prudent organization will continually harden and patch the server and its contents.)
- Newly created attacks are occurring all the time.
- The company might have "bet the farm" on the site. The site might be the company.
- Sensitive customer credit and personal information often resides on servers or in databases exposed to the Web.
- Sensitive organization information often resides on databases or servers exposed to the Web.
- Security failures often become public knowledge. An attack on an internal server can often be kept within the corporate family; however, a security breach on a Web server often results in a defaced home page or other evidence of your failure.
Because the risks and opportunities are so great, there is more recognition for the need for security. The issue is how much security and at what cost. There are different ways to secure a Web site and different lengths to which you might want to go depending on risk, monetary restrictions and policy.
Here are three steps you should take to begin the process:
- Determine the use of the server. Is it an intranet server that will never be exposed to the Internet? Is it the corporate presence on the Internet? An e-commerce site? Business-to-business? More time should be spent securing an e-commerce site than one that purely exists to provide information to internally located employees. Knowing the purpose of the site will point you in the right direction.
- Refine and evaluate the potential threat to the site. Is it a small company or organization Web site that attracts few users? Or is it Microsoft, IBM, e-bay, the U.S. government, or some other megalith upon which every renegade will want to leave a mark? Although no Web site should sit unprotected on any network, it just doesn't make sense to ignore social and political factors.
- Determine the security policy of the organization to which the Web site will belong. Determining the level of security to apply might not be up for discussion. You might have a strict policy that prescribes exactly what to do. If a policy does not exist, Web site security is a good place to start defining one. You should also investigate the need for updating any current policy because new risks are discovered all the time.
When you have an idea of the strength of security for which you are aiming, you can begin.
Read more of Roberta Bragg's article at InformIT. Registration is required, but it's free.
E-mail and let us know what you think of this advice. Was it helpful or did it just repeat stuff you already know?
Related book Windows 2000 Security
Author : Roberta Bragg
Publisher : New Riders
ISBN/CODE : 0735709912
Cover Type : Soft Cover
Pages : 500
Published : Oct. 2000
Windows 2000 Security is the only source you need to create and implement security strategies for Windows 2000 systems and networks. With detailed information on security issues, you?ll have the knowledge, tools, standards and guidance you need to secure your OS, LAN, server, remote access and Web connections. After reading this book, you will come away with the "how," "why" and "when" of Windows 2000 security features, and know how to take advantage of them.
This was first published in May 2001