IIS 6: The Complete Reference

Maintaining security of your web site is extremely important and getting more difficult to accomplish with each new web application or feature introduced on the market. Today’s technological advances mean that you continuously need to learn and understand even more information to protect your site from vulnerabilities. Any time your system is exposed to people, you risk attack. Security involves identifying, prioritizing, and mitigating that risk. This chapter discusses the methodology behind securing your system.

Internet Security Background

The Internet was not designed to be secure; it was invented by computer techies for use by computer techies. Because the concept of having to secure the environment wasn’t considered at the time, no security is built into the Internet Protocol version 4 (IPv4) stack. Since the Internet’s creation, an increasing number of attacks have occurred on systems every year. With all the worms, viruses, Trojan horses, hacking, cracking, and just plain sabotage going on, it seems that no end to security issues is in sight. Diligently keeping on top of these issues is the only way to protect yourself and your system, especially if you manage high-profile servers and applications.

Why Vulnerabilities Happen

Vulnerabilities can be generated from a variety of places for a variety of reasons, including the following:

• Patch level installed on the application is insufficient for the level of protection required

• Application is misconfigured

• Virus detection software is out of date or missing

• No firewall is present

• Administrators are too trusting of personnel and permissions are set loosely

• Physical security is lacking

• Sensitive data is not encrypted

Interestingly enough, from a pure security perspective, the most effective attacks occur as a result of human vulnerabilities. Although worms and viruses can be destructive and can take down your system, the worst type of security problem can occur when an attacker from outside the system gains access to sensitive data by making privileged personnel believe the attacker is to be trusted. Here’s an example of how that can occur:

Joe: Hello? Hacker: Hi, this is Bob from the help desk. We’re having an issue with the network, and we’ve traced it to your user ID. Joe: Oh, no. Hacker: Yes. Can you please verify your user ID for me? Joe: Sure; it’s JoeUser99. Hacker: Yes, that’s what I have here. Can I also verify your password? Joe: Why, sure. It’s Nancy, my wife’s name. Hacker: Alrighty then. Let me take care of this network issue. Thanks for all your help. Joe: No problem.

Now the hacker has access to anything on the system to which Joe can access. The best software patching procedure in the world won’t help you in such cases.

How You Can Protect Your System

First, you must have a good security methodology. While the methodology created is unique for each business, several key elements should be included:

• Identification of the types of attacks you are likely to face

• Identification of where those attacks may occur

• Identification of potential vulnerabilities

• Remediation procedures for attacks

• Implementation of an intrusion detection system (IDS)