Site Security Planning

  • Article

Next Topic

Security Checklists

Make your Web site security policies complete and explicit. Link them to practices that include recording information in security checklists. Emphasize accountability by requiring signatures of employees who fill out the checklists.

Example: Security Initialization Checklist

Create a checklist for each server platform and the Web services running on it. Record items that impact security (see Table B.3):

  • Storage formats used

  • Bug fixes and service packages

  • TCP port access information

You can use the sample checklist in Table B.3 to record security information for a Windows 2000based server used as a Web site. The checklist reflects a least-access approach to security.

Table B.3   Sample Windows 2000/IIS 5.0 Security Initialization Checklist

  1. Server Initialization
    Computer name___________________________________________ Setup by Name (print):_______________________________ Signature__________________________________ Setup date ___________________________________________ Computer manufacturer/model____________________________ CPUs, make, model, speed____________________________ Memory _______________  Network card(s) _____________________ __________________________________________________________ Hard drive formatted in NTFS Yes __  No __ NTFS 8.3 Name Generation turned off Yes __  No __ Service Packs and hot-fixes appliedDate applied/reference
    Windows 2000____________________________________________ ____________________________________________ ____________________________________________
    IIS 5.0____________________________________________ ____________________________________________ ____________________________________________
    SSL____________________________________________ ____________________________________________ ____________________________________________

____________________________________________ ____________________________________________ ____________________________________________

  1. TCP Ports Access Limits Port 80 access by SSL only Yes____   No____ Port 443 access by SSL onlyYes____   No____

TCP Notes (other ports and access methods used)________________ __________________________________________________________ __________________________________________________________ __________________________________________________________

  1. Unneeded Services Log

ServiceInstalled/Enabled

FTP PublishingYes___   No___   Note________________ NNTP ServiceYes___   No___   Note________________ SMTP ServiceYes___   No___   Note________________ Content IndexYes___   No___   Note________________ Certification AuthorityYes___   No___   Note________________ Plug and Play (recommended)Yes___   No___   Note________________ RPC LocatorYes___   No___   Note________________ (required for remote administration) Server ServiceYes___   No___   Note________________ Telephony ServiceYes___   No___   Note________________ Remote AccessYes___   No___   Note________________ (required for dialup access) AlerterYes___   No___   Note________________ ClipBook ServerYes___   No___   Note________________ Computer BrowserYes___   No___   Note________________ DHCP ClientYes___   No___   Note________________ MessengerYes___   No___   Note________________ Net LogonYes___   No___   Note________________ Network DDE and DSDMYes___   No___   Note________________ Network Monitor AgentYes___   No___   Note________________ Simple TCP/IP ServicesYes___   No___   Note________________ SpoolerYes___   No___   Note________________ NetBIOS InterfaceYes___   No___   Note________________ TCP/IP NetBIOS HelperYes___   No___   Note________________ WINS Client (TCP/IP)Yes___   No___   Note________________ NWLink NetBIOSYes___   No___   Note________________ NWLink IPX/SPXYes___   No___   Note________________