Site Security Planning
Security Checklists
Make your Web site security policies complete and explicit. Link them to practices that include recording information in security checklists. Emphasize accountability by requiring signatures of employees who fill out the checklists.
Example: Security Initialization Checklist
Create a checklist for each server platform and the Web services running on it. Record items that impact security (see Table B.3):
Storage formats used
Bug fixes and service packages
TCP port access information
You can use the sample checklist in Table B.3 to record security information for a Windows 2000based server used as a Web site. The checklist reflects a least-access approach to security.
Table B.3 Sample Windows 2000/IIS 5.0 Security Initialization Checklist
- Server Initialization
Computer name___________________________________________ Setup by Name (print):_______________________________ Signature__________________________________ Setup date ___________________________________________ Computer manufacturer/model____________________________ CPUs, make, model, speed____________________________ Memory _______________ Network card(s) _____________________ __________________________________________________________ Hard drive formatted in NTFS Yes __ No __ NTFS 8.3 Name Generation turned off Yes __ No __ Service Packs and hot-fixes appliedDate applied/reference
Windows 2000____________________________________________ ____________________________________________ ____________________________________________
IIS 5.0____________________________________________ ____________________________________________ ____________________________________________
SSL____________________________________________ ____________________________________________ ____________________________________________
____________________________________________ ____________________________________________ ____________________________________________
- TCP Ports Access Limits Port 80 access by SSL only Yes____ No____ Port 443 access by SSL onlyYes____ No____
TCP Notes (other ports and access methods used)________________ __________________________________________________________ __________________________________________________________ __________________________________________________________
- Unneeded Services Log
ServiceInstalled/Enabled
FTP PublishingYes___ No___ Note________________ NNTP ServiceYes___ No___ Note________________ SMTP ServiceYes___ No___ Note________________ Content IndexYes___ No___ Note________________ Certification AuthorityYes___ No___ Note________________ Plug and Play (recommended)Yes___ No___ Note________________ RPC LocatorYes___ No___ Note________________ (required for remote administration) Server ServiceYes___ No___ Note________________ Telephony ServiceYes___ No___ Note________________ Remote AccessYes___ No___ Note________________ (required for dialup access) AlerterYes___ No___ Note________________ ClipBook ServerYes___ No___ Note________________ Computer BrowserYes___ No___ Note________________ DHCP ClientYes___ No___ Note________________ MessengerYes___ No___ Note________________ Net LogonYes___ No___ Note________________ Network DDE and DSDMYes___ No___ Note________________ Network Monitor AgentYes___ No___ Note________________ Simple TCP/IP ServicesYes___ No___ Note________________ SpoolerYes___ No___ Note________________ NetBIOS InterfaceYes___ No___ Note________________ TCP/IP NetBIOS HelperYes___ No___ Note________________ WINS Client (TCP/IP)Yes___ No___ Note________________ NWLink NetBIOSYes___ No___ Note________________ NWLink IPX/SPXYes___ No___ Note________________