Reviewing Security Policies, Processes, and Procedures

  • Article

Applies To: Windows Server 2003, Windows Server 2003 with SP1

As a part of maintaining the security of your Web server, you must perform periodic reviews of the security policies, processes, and procedures in use by your organization. Review your security practices for any changes that might affect the security of the Web server. These changes in security practices can include the following:

  • Ensuring that any recent security risks are mitigated:
    As new security risks are identified, such as new viruses, you need to ensure that your security practices help mitigate these risks. If your current security practices do not address the new risks, then modify them to help mitigate the risks.

  • Identifying changes in Web server configuration that can compromise security:
    Through the course of normal administration of the Web server, configuration changes are made. During this process, security settings might have been inadvertently changed. You need to periodically review the configuration of the Web server to ensure that it complies with the security requirements of your organization.
    You can categorize these Web server security practices by their function, such as operating system security, security policies, firewall security, and router security. In addition, the frequency with which these processes and procedures are completed varies. Some security practices need to be completed continuously while others might be completed monthly.

Table 3.14, Table 3.15, Table 3.16, and Table 3.17 list examples of security policies, processes, and procedures for an ISP, grouped by categories. These examples are representative of the types of security practices that are required to maintain the security of your Web server. For more information about the security policies, processes, and procedures for your Web server, see Managing a Secure IIS 6.0 Solution.

Table 3.14 Windows Server 2003 Operating System Security

Security Policy, Process, or Procedure Frequency

Limit user rights to only those that are required.

Constant

Limit any windows for vulnerabilities that can be exploited when deploying new servers.

Constant

Limit Terminal Services access to only necessary accounts.

Constant

Run a two-tier DNS structure to protect the identity of internal servers.

Constant

Run an intrusion detection system.

Constant

Scan the ports in use on your server addresses and addresses assigned to remote users.

Daily

Review event and IIS logs.

Weekly

Test firewalls from inside and outside by using port scanners and other appropriate tools.

Weekly

Table 3.15 Windows Server 2003 Policy Security

Security Policy, Process, or Procedure Frequency

Explicitly deny interactive logon user right to all non-administrative accounts.

Constant

Explicitly deny "Allow logon through Terminal Services" user right to all non-administrative accounts.

Constant

Enable FULL (Success/Failure) auditing on domain Group Policy objects.

Constant

Send event notification when events like User added to Domain Administrators occur.

Constant

Allow only Administrators to have write permissions on all content servers.

Constant

Require strong passwords for all users.

Constant

Require smart cards for all administrators.

Constant

Allow administrators to log on only to specific workstations.

Constant

Enable account lockout policies for failed logon attempts.

Constant

Audit the domain Group Policy object.

Monthly

Audit Active Directory user rights.

Monthly

Audit all servers to determine if nonessential services are running.

Monthly

Table 3.16 Firewall and Router Security

Security Policy, Process, or Procedure Frequency

Restrict the network segments where management traffic is allowed.

Constant

By default, deny IP traffic and log any failed attempts.

Constant

Ensure that the minimal firewall rules are enforced, including:

  • Explicitly deny all traffic to the following:

    • TCP and UDP ports 135-139, 445 (NetBIOS/SMB)

    • TCP and UDP ports 3389 (Terminal Services)

    • Domain controllers

    • Internal DNS servers

  • Permit traffic to TCP and UDP port 53 (DNS) to external DNS servers.

Constant

Table 3.17 Miscellaneous Security

Security Policy, Process, or Procedure Frequency

Run virus scans on all servers.

Constant

Monitor security distribution lists and newsgroups for potential security issues.

Constant

During virus outbreaks, block any suspicious content (such as e-mail attachments).

Constant

Monitor the number of Non-Delivery mail reports generated (indicates e-mail spamming).

Weekly

Monitor Simple Mail Transfer Protocol (SMTP) relay attempts that are not valid (indicates e-mail spamming).

Weekly

Audit accounts to determine the users who are no longer employed at the organization, partner organizations, or customer organizations.

Monthly