Appendix B - Site Security Planning
To safely deploy enterprise Web applications, you will need security policies and practices that defend your intranet against intrusion, that protect the communication of sensitive information across the Internet, and that provide secure access to critical applications for customers and business partners.
This appendix describes how to set policies for securing Web resources, applications, and data in an intranet. It also presents scenarios for using Internet Information Services (IIS) 5.0 in order to secure communications, including e-commerce applications, over the Internet. For more information about security in general, see "Security" in this book.
On This Page
Assessing Threats to Security
Where to Spend the Effort
Making Policy
Additional Resources
Assessing Threats to Security
This section provides a framework for assessing threats to the security of a Web site and its assets. A Web site is considered to include one or more server platforms and associated Web services under unified administrative control.
To effectively plan the security of your Web site you must:
Keep pace with changes in business that might require new security measures. For example, e-commerce will require encryption of private information sent over the Internet.
Identify and assess threats to the security of online assets. For example, if you open your corporate intranet to access by employees from home, their user IDs and passwords are assets that will be made vulnerable to the threat of exposure on the Internet.
Prioritize threats according to potential exposure and recovery costs. For example, if you allow customers to purchase services from your Web site, determine what assets would be exposed and what the cost would be to secure them.
In the emerging online business environment, accurate threat assessment is vital to achieving cost-effective security for assets shared over the Web within your organization, as well as among your business partners and customers.
Threat Identification
Identifying threats to your Web site includes creating inventories of assets, evaluating assets and potential losses, and recognizing where potential threats originate (from inside and outside your organization).
When your organization engages in business over the Web, potential threats become more numerous. Security plans must account for communication of information between your site and the intranet sites of your business partners and customers.
Threats increase as assets are deployed to new environments. Many sensitive information assets stored and used in traditional environments-such as corporate databases connected to corporate users by means of a local area network (LAN)-will also be deployed in relatively new environments-such as intranets and the Internet. The increase in the use of Transmission Control Protocol/Internet Protocol (TCP/IP) networks, including the Internet, has created new environments in which employees, business partners, and customers expose information assets to new security threats. Therefore, your network-based information will be potentially more vulnerable than ever.
The following list summarizes the criteria to use when assessing threats and potential damage to information that will be deployed on intranets and over the Internet. For an example, see "Where to Spend the Effort."
For each asset requiring security:
Create an inventory of online assets requiring security. Identify all systems, applications, and information that will need protection from intruders.
Specify who needs access to the assets (in-house users, business partners, customers, an anonymous public), and from where (your intranet, or the Internet).
Estimate the relative value of the assets you are charged to protect. A useful approach is to measure value as the relative damage that would be suffered by the organization, if an asset were corrupted or lost. Consider the importance of each asset to the achievement of business goals, the need to maintain credibility with customers, and the cost of replacing these assets if they are lost.
Specify the consequences to your organization of a successful intrusion (loss of data, loss of service).
Estimate the maximum potential damage on a scale of 1 (low) to 10 (high). Take into account that both data loss and denial of service will damage your organization and its customers.
Estimate the minimum cost of providing adequate security for each category of assets on a scale of 1 (low) to 10 (high).
State any conditions or assumptions affecting threats to assets or cost of security. For example, on the condition that the organization will use Internet-standard encryption methods, you might assign a low-cost factor to securing private data transmitted over the Internet between browsers and servers.
Attacker Motives and Targets
Individuals and groups seeking to invade your site could be operating from any of a wide range of motives: to aid an organization competing against yours; to embarrass the site owners as a prank; to further a social cause (antitechnology, antibusiness); to get revenge (the attacker was fired, did not receive a bonus, hates the boss); or, to gain status among peers.
Intruders can attack any asset of value to your organization, such as the entire contents of the corporate database. Targets are not limited to trade secrets or information that could be sold illegally; they might also be servers or server-based services, such as e-mail.
Threats on Intranet
Intranets can expose assets to threats from both outside and from within an organization.
Threats from Outside
Intranets use Internet technologies, such as e-mail and Hypertext Transfer Protocol (HTTP), in order to provide corporate resources to employees. Because these technologies are based on the TCP/IP suite of protocols, intranets give employees easy access to corporate information resources via the Internet, from wherever they might happen to be: at home, on a business partner's site, or in a distant city.
One result of this access is that employees send identification and authentication data as well as other sensitive business information over public networks, as they take care of business from remote locations. When the logon and authentication communication is not secured by encryption, amateur programmers working outside the corporation can intercept and use this sensitive information against the company intranet.
The Danger from Within
Outsiders do not pose the only threats to corporate resources on your intranet.
When developing plans for protecting new Web applications, there is a tendency to focus exclusively on securing data that will be transmitted past the firewall and across the Internet. However, evidence continues to show that security threats from inside organizations are most significant. While this may change somewhat with the advent of e-commerce and business-to-business applications, potential threats from inside your organization will require continuous attention if they are to be minimized. See the sidebar, "Information Systems Employee Seeks, Gets Revenge," for an example of how one disgruntled employee caused long-term damage to a company's vital intellectual property.
Information Systems Employee Seeks, Gets Revenge
In 1996, a disgruntled Information Systems employee of a U.S. manufacturer of measurement and control instruments planted a logic bomb on a company LAN. The bomb detonated ten days after the man had been terminated, wiping out the company's research, development, and production software, including its backup systems. The company estimated the cost to recover the damage at $12 million (over the several years that would be required to redevelop the software).
The employee had been notified that he was to be terminated, but his network accounts had not been disabled until his termination date. He had ample time to plant the bomb before leaving the company. Had he wanted to do so, he could have opened a back door to the systems he used, which would have allowed him to commit further damaging acts.
This incident shows the need for creating and enforcing realistic security practices, in order to combat internal threats to assets. There is no way to guarantee that employees will not commit destructive acts. However, some policies and practices that could have helped minimize the risk of incurring damages (such as those just cited) include disabling employee access before termination, running antivirus software on each computer on the network, and monitoring the network to detect intrusive traffic. Because the employee, in this case, had root privileges to the systems on the network, the Information Technology team should have locked down all the systems he administered.
At a minimum, the following security policies should be in place, in order to avoid this kind of catastrophe:
Disable the accounts of employees upon their notification of termination. Do not wait until their termination date. In this case, the logic bomb had been planted before the employee was actually terminated, but after he knew termination was imminent.
Reinitialize security for systems that were under the terminated employees' control. Continuously monitor these systems for security violations, such as back doors that are left open. Terminated employees often use these as reentry points.
Install and run antivirus software on each computer on the intranet.
Back up systems, applications, and data; deploy off-site storage for archival backups.
Threats over the Internet
Businesses gain a competitive advantage both by using the Internet to share information and resources with key partners, and by transacting business with customers. However, with that advantage comes a security challenge: to protect enterprise data and private customer information as they are communicated over the Internet.
In the Internet business environment, information assets take on new forms and appear in unaccustomed places. You will need to account for such changes in form and placement as you build your inventory of assets. For example, if you plan to offer online purchasing to customers, your company will transmit and receive credit card numbers and other private information across the Internet. Formerly confined to file cabinets and an internal network, this information-now transmitted in data packets on public networks-is an old asset that will be transmitted in a new environment. You will need to account for this development in your inventory of all assets that must be secured.
Opening the corporate network to communication from users outside the firewall presents opportunities for amateur programmers to exploit your organization through:
Software bugs that compromise security, leaving your site vulnerable if the bugs are not fixed.
Inadequately secured data that is routed over the Internet, leaving your data exposed to interception and illegitimate use.
Unsecured executable Web application code with system access, leaving your back-end data exposed to access from unauthorized users.
Identify any threats to your assets. Include potential perpetrators, the ways in which they operate, and the targets your organizational environment presents to them. Evaluate the severity of the threats, and the degree of harm that successful attacks could cause.
Threats Impact All Areas of Security
Doing business over the Internet will impact each area of security at your Web site: authentication, authorization (or access control), privacy and integrity, availability, auditing, and nonrepudiation.
Authentication
Customers will open accounts and connect with your firm over the Internet, using the online authentication scheme you choose. Easily read IDs and passwords could be vulnerable to interception as they are transmitted over the Internet.
Some would-be intruders also possess the tools to decrypt passwords that are encrypted. Password-cracking programs intercept encrypted password files, then match the passwords to encrypted known passwords by using a pattern matching method. The matches are stored for later use against the site that sent the original encrypted passwords. For example, intruders sometimes use a program named "L0phtcrack" to decrypt passwords from Server Message Blocks (SMB), which are intercepted as they are being transmitted across the Internet.
Spoofing is an insidious method used for gaining access to user IDs, passwords, and other private information. A spoofing operation uses network communications to fool the user into participating in an illegitimate event. The attacker sends what appears to be a legitimate Web server or network service link (spoofing the server or service) for the purpose of collecting important private information.
For example, an attacker might intercept an Internet communication, then send the user a dialog box with the false message that network service has been interrupted. The attacker then requests that the user log on again using his or her user ID and password. Spoofs can be used to hijack Telnet sessions, communications with boards and chat sessions, or e-mail transmissions.
Authorization
You will need to change your authorization (or access-control) policies and procedures in order to meet the new challenges of doing business over the Internet. Employees, customers, and business partners will need access to resources at your site, which probably includes executable content. Recent surveys show that up to 25 percent of successful intrusions into business intranets are perpetrated by employees and users who have no legitimate need for access to the areas they entered. They gain access to these resources mainly through faulty authorization schemes. Both policies and procedures are often inadequate to protect system resources from unwanted intrusion.
Your site will be vulnerable to intrusion from destructive unauthorized users and thieves entering it from the Internet, if your access-control scheme does not protect your resources-such as scripts in ASP pages-from read access by outsiders.
Privacy and Integrity
Customers and business partners will send IDs, passwords, financial account data, and other sensitive information to your site. The privacy and integrity of such information will be vulnerable unless it is properly protected as it is routed over the Internet. Privacy and integrity are closely related and are subject to the same threats:
Data intercepted and read by a malicious Internet user compromises the privacy of the transmission. The attacker can now use the information for purposes counter to the owner's intentions.
Once privacy is compromised, the integrity of the information is threatened. The data can be modified before being sent on to its destination.
Availability
Opening your site to Internet commerce can threaten the availability of the services it provides. Heavy use of server resources can slow service; deliberate acts by intruders can crash systems, resulting in denial of service. A lack of redundant systems and proper backups leaves Web sites vulnerable to prolonged outages.
Auditing
A recent U.S. government computer site attack exercise found that fewer than 5 percent of the successful attacks were detected by network and systems administrators, and that even fewer were reported to authorities.
As you begin to do business with relative strangers, it becomes increasingly important to know who has connected to your site, when, and what actions they took. Law enforcement officials might need information about clandestine users coming in from anywhere in the world. You will need continuous auditing of the events occurring on your site.
Nonrepudiation
There will always be customers who try to repudiate actions they have taken, such as claiming they did not make an online purchase. To discourage nonrepudiation, provide not only strong authentication and authorization for your site, but sufficient auditing for it as well. Without these measures, in combination with a strong liaison with law enforcement authorities, those who want to engage in nonrepudiation of business transactions will have ample opportunity.
Where to Spend the Effort
Why Is Security Difficult?
When developing priorities for site security, keep in mind the organization, as well as its assets that must be secured. You must provide extensive access to the same assets you are trying to secure. Balancing these two requirements makes creating effective security measures difficult, particularly on a limited budget. Use the following general rules for deploying and securing the assets on your site:
Make each asset accessible to everyone who should have access to it, whenever they need it.
Protect each asset from intrusion by anyone who should not have access to it.
The first rule promotes awareness that the organization's mission is something other than security. The second rule suggests an effective approach to developing security policy: a least-access approach.
A Least-Access Approach
A least-access approach to security means that you should lock down, turn off, or remove online assets that do not require online access. Furthermore, you should only allow access to resources to those who truly require it.
This approach tends to greatly reduce such calamities as loss of data and denial of service that are due to the unwitting actions of users who wandered into areas in which they did not belong. It also minimizes the number of potential easy entry points for unauthorized users. For example, you might want to open only Transmission Control Protocol (TCP) ports 80 (HTTP) and 443 (HTTPS) for access to your Web services, and turn off the others. Other examples include disabling guest user accounts, as well as restricting anonymous users to read-only access in well-defined areas of the site.
Most of your effort should be spent securing assets that are potentially under threat, and to which Information Technology staff or users need access. This requires that you prioritize threats, assigning the highest security needs to those assets whose loss could most damage the organization.
The Case of Exploration Air
For a more in-depth view of the thread-assessment process, consider a hypothetical example. A network administrator planned to secure a Web site at his company, Exploration Air. He began by analyzing the security requirements of a Web site that maintains customer information-including frequent flyer miles-for members of its Flyers Club.
Assigning Threats and Potential Damage
First the administrator listed the assets needing protection, the network environments from which users would gain access, and the threats to those assets. Linking assets to access (see Table B.1) leads to an important security issue: the need to protect assets outside the corporate firewall. An asset only available from the company's intranet is protected from outside intruders by the Exploration Airlines firewall. However, assets sent over the Internet are vulnerable to interception while being routed across a public network. Making this distinction helps identify security requirements and cost issues that can be resolved in later steps. Notice that for item 1 (in Table B.1), access is from the intranet and the Internet. This is assuming that Exploration Air employees are allowed to access their accounts from home using dial-up access and to logon via HTTP forms. Thus there is potential danger, due to employees who access the intranet from the Internet.
Next, the administrator considered how each asset might be compromised, and categorized the potential loss as either a loss of data or denial of service. Based on the high value the company attributes to its customers and to its own good name, the administrator placed a high damage score on losses of customer data, especially when customers' money might be involved. For clarity and simplicity, the administrator did not include information considered public, needing little if any protection.
Table B.1 Threats and Potential Damage
Web Site Threat Assessment for Site:__________________________________ as of (Date):___________________
Asset/Access from |
Threat Loss |
Expected Maximum Damage |
|
|---|---|---|---|
1 |
Employee user IDs |
Acquired by malicious user |
10 |
|
|
Intranet, the Internet |
Data loss, denial of service |
"10" for net administrator IDs |
2 |
Back-end SQL Server |
Corrupted by malicious user |
10 |
|
|
Intranet |
Data loss |
"10" for corrupt current and backup data |
3 |
Flyers Club IDs and passwords |
Acquired by potential thief |
9 |
|
|
Intranet, the Internet |
Data loss |
Customers lose money if thief uses frequent flyer miles |
4 |
Other backend customer data |
Acquired by malicious user |
9 |
|
|
Intranet, the Internet |
Data loss |
|
5 |
Web services |
Brought down by malicious user |
6 |
|
|
Intranet |
Denial of service |
|
6 |
Network operating system |
Brought down by malicious user |
6 |
|
|
Intranet |
Denial of service |
|
7 |
ASP page source |
Acquired by malicious user |
5 |
|
|
Intranet, the Internet |
Data loss |
|
Assigning Relative Costs to Security
Next, the Exploration Air administrator pulled together a team, in order to determine the relative cost of securing the online assets needing protection (see Table B.2). The team looked for security solutions that were cost-effective, assigning a factor of "1" for the lowest relative cost and "10" for the highest. The team favored security solutions that were integrated into the network operating systems, or that were based on Internet community standards. They assigned the solutions relative cost factors of "1" or "2." Assumptions were spelled out in the appropriate fields of Table B.2. These assumptions pointed to requirements that would help Exploration Air assess network operating systems, Web services software, and add-in security software that might be used to secure the site.
Finally, the team listed the areas of security that were directly involved in securing each asset. For example, securing asset number 3-Flyers Club IDs and passwords-would require effective authentication, authorization, integrity, privacy, availability, and nonrepudiation.
At this stage, the team faced an issue new to Exploration Air's business model: how to secure user logon and transmission of sensitive, private information over the Internet. Customers would be allowed to submit forms that would trigger the creation and maintenance of their own accounts at the Flyers Club site. These accounts would receive and hold personal information about the club members, as well as keep track of their frequent flyer credits (as credits were added and subtracted by the reservation system). Members would be able to download all the information contained within their own club records over the Internet.
Table B.2 The Relative Costs of Security
Web Site Threat Assessment for Site:__________________________________ as of (Date):___________________
Asset/Access from |
Threat Loss |
Expected Maximum Damage |
Expected Minimum Security Cost |
Security Areas |
|
|---|---|---|---|---|---|
1 |
Intranet user IDs |
Acquired by malicious user |
10 |
1 Assumes adequate firewall and operating system-integrated security |
Authentication |
|
|
Intranet, the Internet |
Data loss, denial of service |
"10" for net admin IDs |
|
|
2 |
Back-end SQL Server |
Corrupted by malicious user |
10 |
1 |
Authentication |
|
|
Intranet |
Data loss |
"10" for corrupt current and backup data |
|
|
3 |
Flyers Club |
Acquired by potential thief |
9 |
2 Assumes end-to-end Internet standard encryption and authentication |
Authentication |
|
|
Intranet, the Internet |
Data loss |
Customers lose money if thief uses frequent flyer miles |
|
|
4 |
Other back-end customer data |
Acquired by malicious user |
9 |
2 Assumes Internet standard encryption and authentication |
Authentication |
|
|
Intranet, the Internet |
Data loss |
|
|
|
5 |
Web services |
Brought down by malicious user |
6 |
4 |
Authentication |
|
|
Intranet |
Denial of service |
|
|
|
6 |
Network operating system |
Brought down by malicious user |
6 |
4 |
Authentication |
|
|
Intranet |
Denial of service |
|
|
|
7 |
ASP page source |
Acquired by malicious user |
5 |
2 |
Authentication |
|
|
Intranet, the Internet |
Data loss |
|
|
|
The Exploration Air case is an example of how to assess threats and costs, before establishing security policies and practices for any Web site. Once you know the assets to be secured, the threats to those assets, the relative costs of security solutions, and the areas of security affected, you can begin to outline policy goals and objectives.
Making Policy
Design your Web site security policies to achieve realistic goals at a reasonable cost. Although Web sites will differ from each other, they will share some fundamental goals relating to strength of security, its cost, and the means of achieving a secure site. To ensure this:
Provide strong security that is consistent with access requirements.
Certify that all personnel who administer security are fully competent to enforce security policy consistently and accurately. Make sure that all users accept their responsibility to comply with this policy.
Control security implementation costs that are consistent with the need for strong security. Security must scale up efficiently as sites expand.
Adopt technologies, standards, and practices that are adaptable to changing conditions and new developments.
Choose technologies that allow you to fully integrate security monitoring and management into network and user account administration. A single interface for security and administration will enable you to have efficient and timely security monitoring.
Adopt Internet community standards for communication between your Web site and Internet destinations, including the security of communication. The adoption of Internet standards yields low-cost start-up and good scalability, because the standards are widely supported by your customers and business partners.
Vigilance and Revision
Successful security planning results in policies that mandate constant vigilance and periodic revision.
Constant Vigilance
Effective security planning requires you to monitor and report all significant securityrelated events. It also requires that you audit the reports from the systems administration in a timely fashion. Planning leads to security policies and standards that support effective monitoring and review.
Develop security plans that, at a minimum, thoroughly require you to monitor the following events and situations inside and outside the site:
All security-related network events, such as resource access activities and logon attempts
New users and changes to user network authentication status
Reports of employees who are to be terminated
Changes in authorization (access control) to site directories and files
The addition of, or changes to, organizational firewalls and network-wide authentication systems
Forums that report on discovered network security holes for the systems in place at your site, as well as fixes for them
Problem and incident reports from the Internet community
It cannot be overemphasized that the systems and applications you install will contain bugs that will likely be discovered elsewhere in the Internet community, before you know about them. Your vendors and the Internet community security forums will broadcast news as these problems surface, and as solutions are developed. Security policy must include the practice of diligently monitoring the forums that provide this information, as well as the fixes for them.
Here are two examples of forums that effectively track bugs and fixes for major network operating systems:
For UNIX systems: bugtraq.
To subscribe: send a message to listserv@netspace.org; no subject; in the message area type subscribe bugtraq.For Windows: ntbugtraq.
To subscribe: send a message to listserv@listserv.ntbugtraq.com; no subject; in the message area type subscribe ntbugtraq.
Periodic Revision
Security plans and policies are effective only to the extent that they anticipate and counter potential threats. Establish a policy to periodically review your security plan, in light of changes in your organization's business practices.
New ways of using the Web, such as connecting your Web users to your organization's databases, will incur new vulnerabilities to threats-on your intranet and over the Internet. The scripts used to activate Web pages with database information contain code needed to open and query these databases. You will need to revise your security plan, in order to establish policies and practices that prevent unauthorized access to your proprietary Web application scripts (For an example, see the sidebar "Who Is Reading Your Server-Side Scripts?").
Who Is Reading Your Server-Side Scripts?
At some point in the near future you will probably want to provide your users with access to your server data over the Internet. You can accomplish this by writing scripts in ASP pages on the Windows® 2000 platform, utilizing the IIS 5.0 online product documentation as a resource. Browser users cannot view your scripts by viewing the page source, because the server-side scripting was removed before the page was sent to the browser.
However, you will compromise the security of your server-side scripts if you allow browsing of directories containing scripts in ASP pages, or server-side includes containing collections of script fragments. Here are some common mistakes to avoid:
Files with the .asp extension must be placed in a directory with execute permissions set. It is a security risk to also set read permissions for these directories, because this permits easy pilfering of your original scripts in ASP pages.
For efficient maintenance and ease of use, commonly used script fragments are often stored in a server-side include file. Include files use .stm, .shtm, or .shtml as standard extensions. Anyone who knows how to look for include files can download them if they are stored in a directory with browsing enabled.
To prevent users from downloading copies of any of these file types, establish and enforce a policy of always keeping them in directories that disallow directory browsing.
Adopting Technologies and Standards
Technologies and Standards for the Server Side
Use your primary security goals (such as those listed above) to select security technologies and standards for each area of site security: authentication, authorization, privacy, integrity, availability, auditing, and nonrepudiation. Build your security plans, policies, and practices around these technologies and standards.
Strong Authentication
Use authentication schemes that are integrated with your network operating systems, and that use Internet standard protocols. Examples:
Network authentication protocols-such as the Kerberos v5 authentication protocol, a feature of Microsoft® Windows® 2000 Server security-distribute tickets that limit the exposure of passwords, and that authenticate users for network-wide access to resources. The Kerberos v5 protocol is a widely used Internet standard for networkwide authentication.
Public-key client certificate authentication allows users to communicate across the Internet with your site, without exposing passwords or data that would be vulnerable to easy interception.
You might also need to support special functions such as smart-card authentication, or server certificates with public keys that allow users to authenticate your servers as trusted sources.
System-Integrated Authorization
In order to control access to resources, you will need authorization (access control) standards. Do not rely on application-level access to resources. Instead, use network-wide authorization services such as discretionary access control lists (DACLs) in Windows 2000 Server.
Network-wide authorization will make it easy for authenticated employees and customers to use the resources they need, while allowing you to efficiently control access to valuable resources.
Protected Privacy and Data Integrity
Select technologies that, by using encryption, are able to protect user privacy and data integrity across the network. Set a protocol standard for your site that is supported across the Internet community, such as:
Secure Sockets Layer (SSL)
Transport Layer Security (TLS)
Internet Protocol Security (IPSec)
Assured Availability
Attacks that cause denial of service to users-such as crashing a server system-are difficult to defend against, or even to predict. Develop security policies that mandate clustering and solid backup practices, in order to provide the most availability to your users at the lowest possible cost.
Timely Auditing
A good auditing policy demands that you record events of interest that take place on your system and evaluate them in a timely fashion. Timely audit trails facilitate the pursuit of perpetrators, while delayed audit trails often lead to fixing the security problem when it is too late: after the perpetrator has completed all destructive actions.
Effective Nonrepudiation
Make it difficult for users to take action only to repudiate it later. When users can engage in business transactions and then deny that they have done so, they can cost your organization resources and diminish its good name with customers and business partners.
Requiring the signing of acceptable-use policies is the first step in discouraging employees and customers alike from wrongly repudiating the actions they might take. For example, in the acceptable-use policy for customers, state explicitly that customers are committing themselves to take full responsibility for orders they submit.
Client Security Management
To protect your site and the users who provide content for it, prevent users from downloading unsafe files over the Internet. Set and enforce browser and e-mail security for at least those users who provide content to your site. Establish a policy for maintaining a list of restricted sites, and set browser restrictions accordingly. Use a centralized browser management package to lock in browser security settings (see the sidebar, "Locking in Security Settings for Microsoft Internet Explorer and Outlook" for an example of how to do this).
Locking in Security Settings for Microsoft Internet Explorer and Outlook
Develop and implement an effective browser security policy in your organization in order to prevent browser users from downloading possibly dangerous content. For Windows:
Use Microsoft® Internet Explorer 5, or later, as the standard browser in your organization.
Establish a browser security policy that protects users against downloading unsafe active content. At a minimum, require that browsers be set on High security for the Restricted sites zone and on Medium security for the Internet zone. (From the View menu, select Internet Options, then click the Security tab. Then select from the Zones drop-down menu.)
Implement the policy, using the Microsoft® Internet Explorer Administration Kit. This policy will lock in effective security levels on all browsers in your organization.
Effective Internet Explorer security will also protect against downloading unsafe email content when using Microsoft® Outlook® 98 as a mail client, because Outlook 98 uses Internet Explorer components (including the rendering engine) to enable its Web features.
Firewalls
If your Web site is but one of many within your organization, a corporate firewall placed between your intranet and the Internet will partially protect it from intrusion. The firewall protects your intranet or corporate LAN from intrusion, by controlling access from the Internet, or other large network.
Firewalls vary in their approach to providing security. IP packet filtering offers weak security, is cumbersome to manage, and is easily defeated. Application gateways are more secure than packet filters and easier to manage because they only deal with a few specific applications, such as a particular e-mail system. Proxy servers can provide application gateways, safe access for anonymous users, and other services.
Take advantage of the firewall security features that can help you. Your firewall administrator might be able to fine tune the firewall's access control in order to meet your site's needs. The best firewalls feature reports all attempts at unauthorized access. Use these reports in your own monitoring efforts.
Do not place sole reliance for Web site security on your corporate firewall. Above all, do not take the effectiveness of your corporate firewall for granted. Among the reasons to resist this temptation:
Firewalls are fallible. They are often breached. The viruses designed to breach firewalls and wreak havoc on your site are called Trojan Horses for good reason: they get past the gate (the firewall).
Firewalls are subject to constant technological change. As your organization upgrades its firewall, the firewall security scheme might change. Do you know what the new scheme entails? Does it meet your needs?
Firewall security policy changes to meet changing needs. Are the security needs of your site included?
Whatever its security scheme, once the firewall has been breached, you must rely on your own site security measures to defend its resources against intruders.
Security Checklists
Make your Web site security policies complete and explicit. Link them to practices that include recording information in security checklists. Emphasize accountability by requiring signatures of employees who fill out the checklists.
Example: Security Initialization Checklist
Create a checklist for each server platform and the Web services running on it. Record items that impact security (see Table B.3):
Storage formats used
Bug fixes and service packages
TCP port access information
You can use the sample checklist in Table B.3 to record security information for a Windows 2000-based server used as a Web site. The checklist reflects a least-access approach to security.
Table B.3 Sample Windows 2000/IIS 5.0 Security Initialization Checklist
Server Initialization
Computer name ___________________________________________
Setup by Name (print): _______________________________
Signature __________________________________
Setup date ___________________________________________Computer manufacturer/model ____________________________
CPUs, make, model, speed ____________________________
Memory _______________ Network card(s) _____________________
__________________________________________________________Hard drive formatted in NTFS Yes __ No __
NTFS 8.3 Name Generation turned off Yes __ No __Service Packs and hot-fixes applied Date applied/reference
Windows 2000 _________________________ ___________________
_________________________ ___________________
_________________________ ___________________IIS 5.0 _________________________ ___________________
_________________________ ___________________
_________________________ ___________________SSL ________________________ ___________________
_________________________ ___________________
_________________________ ____________________________________________ ___________________
_________________________ ___________________
_________________________ ___________________TCP Ports Access Limits
Port 80 access by SSL only Yes____ No____
Port 443 access by SSL only Yes____ No____TCP Notes (other ports and access methods used) ________________
__________________________________________________________
__________________________________________________________
__________________________________________________________Unneeded Services Log
Service
Installed/Enabled
FTP Publishing
Yes___
No___
Note________________
NNTP Service
Yes___
No___
Note________________
SMTP Service
Yes___
No___
Note________________
Content Index
Yes___
No___
Note________________
Certification Authority
Yes___
No___
Note________________
Plug and Play (recommended)
Yes___
No___
Note________________
RPC Locator (required for remote administration)
Yes___
No___
Note________________
Server Service
Yes___
No___
Note________________
Telephony Service
Yes___
No___
Note________________
Remote Access (required for dialup access)
Yes___
No___
Note________________
Alerter
Yes___
No___
Note________________
ClipBook Server
Yes___
No___
Note________________
Computer Browser
Yes___
No___
Note________________
DHCP Client
Yes___
No___
Note________________
Messenger
Yes___
No___
Note________________
Net Logon
Yes___
No___
Note________________
Network DDE and DSDM
Yes___
No___
Note________________
Network Monitor Agent
Yes___
No___
Note________________
Simple TCP/IP Services
Yes___
No___
Note________________
Spooler
Yes___
No___
Note________________
NetBIOS Interface
Yes___
No___
Note________________
TCP/IP NetBIOS Helper
Yes___
No___
Note________________
WINS Client (TCP/IP)
Yes___
No___
Note________________
NWLink NetBIOS
Yes___
No___
Note________________
NWLink IPX/SPX
Yes___
No___
Note________________
Pursuit
When a security incident occurs that requires a coordinated response from outside your site team, you should be ready to follow up with a plan and a policy. Be prepared to:
Report incidents to your central authority. If your organization is large, it might have standard incident reporting procedures, and incident response teams to handle them. If that is the case, incorporate these procedures into your security incident reporting policy.
Report incidents to the appropriate governmental authorities. Incidents involving attacks from outside your state or outside the U.S. should be reported to the FBI.
Report problems to appropriate vendors and Internet security monitoring and coordination organizations, such as the CERT® Coordination Center ( https://www.cert.org), bugtraq, or ntbugtraq.
In addition to a policy, you should have contact information for reporting incidents to all pertinent authorities.
Additional Resources
The following Web sites and books provide additional information about IIS 5.0 and about other features of Windows 2000 Server.
Web Links
The ntbugtraq Web site hosts the leading Internet mailing list for tracking Windows NT and Windows 2000 Server-related bugs.
The CERT Coordination Center manages responses to security incidents and security vulnerability reports, and provides information about a wide range of security-related issues.
ftp://ftp.isi.edu/in-notes/rfc2196.txt
RFC 2196 is a site security planning document published by the Internet Engineering Task Force (IETF). Coverage includes policy formation and content, many technical network security topics, and incident response.
The Internet Security Systems Web site is a source of links to FAQs, mailing lists, newsgroups, and other security-related resources. The company describes its security products at this site as well.
https://www.microsoft.com/security/default.asp
This is the most comprehensive and up-to-date site dealing with Microsoft security. Coverage includes Microsoft's security bulletins, information about security for each Microsoft product and technology, and links to other security information resources.
https://www.sans.org/newlook/home.htm
The SANS Institute is an organization dedicated to helping computing and networking professionals share their experiences in solving the problems they face. The Institute provides publications and online information and hosts conferences and seminars on network security. Publications on Windows NT security include: SANS NT Digest and Windows NT Security: Step-by-Step Guide.
https://www.trustedsystems.com/tss_nsa_guide.htm
Trusted Systems wrote Windows NT Security Guidelines through a year-long project for the National Security Agency (NSA). It provides guidelines for configuring Windows NT for optimum security, including government C2-level security. You can download the guidelines from this site.
The World Wide Web Consortium (W3C) pages on security cover many important security issues and technologies. The site is also a good portal to other security-related sites.
Books
Extranets by Richard H. Baker, 1997, New York: McGraw-Hill.
A complete sourcebook on how to plan, implement and secure extensions to your intranet that reach out to business partners and customers.
Mastering Internet Security by Chris Benton, 1998, Cybex.
The book is a comprehensive guide to planning security, writing security policies, as well as choosing and using security tools for a multiplatform network.
Hacker Proof, The Ultimate Guide to Network Security by Lars Klander, 1997, Houston: Jamsa Press.
A great resource for understanding network security issues and learning what to do about them. Excellent descriptions of encryption and hash values.
.gif "Bb742404.spacer(en-us,TechNet.10).gif")