[fw-wiz] iis 6.0 and sharepoint portal security checklist

• Previous message: Adam Shostack: "Re: [fw-wiz] Re: Spyware mumbo jumbo and bigger woes"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: firewall-wizards@honor.icsalabs.com
Date: Wed, 08 Dec 2004 06:02:54 +0000

Dear Gents,

I have an assignment to do a security checklist for system and application
compliances.
As for the system, i am using a security template and finding the
non-compliances.
but for the application, it is quite difficult as we have different
applications that even need a software to report the non-compliances with
our security policy, or a security checklist.
For example, bellow is a part of a security checklist for the IIS 5.0:

ID Security check Item Compliances status
1 Install IIS on stand-alone server (member server)
2 Install only OS and required IIS 5.0 components (no applications or
development tools)
3 Create a new inetpub root directory on separate drive or partition from OS
and other programs. Use a name other than Inetpub to help counter potential
attacks.
4 Remove all protocol stacks except TCP/IP
5 Disable all non-required services
6 IUSR-Computername account must be disabled. However if exception granted
the following privileges must be set on the account:
        o Select User cannot change password
        o Select password never expires
        o Remove log on as a batch service
        o Grant access this computer from the network
7 Disable the IUSR-Computername account, if not otherwise approved by ISSD.
Using anonymous access is subject to security approval

so, here come the question:
1 - is there any similar security checklist for the IIS 6.0 (knowing that it
is by default more secure than the iis 5.0)
2 - any similar security checlist for the sharepoint portal?

thanks in advanced for your support,

regards,
Hilal

Hilal Hussein
Senior Security Officer
ISSD
NCB - Jeddah - KSA
+966507169910

_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar - get it now!
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Adam Shostack: "Re: [fw-wiz] Re: Spyware mumbo jumbo and bigger woes"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Mac Server Hacked In Less Than 6 Hours ... Windows has RAS, and for it is built in since NT 3.1 ... | A typical IIS box and this Mac are not the same thing so the comparison ... IIS has been subject to quite a few bugs and so have ... Security isn't a proprietary attribute. ... (sci.crypt) Re: DCOM calls fails - access denied ... That's exactly how I understood the ASP.NET security. ... But why does one configuration work but not the other? ... should get the token from IIS. ... If you set there a domain account, ... (microsoft.public.dotnet.framework.aspnet.security) Re: How to secure IIS? ... XP as well, because even if you don't install IIS, there are still a number ... If you think Windows 98 is secure, ... easy to attack, if there's no firewall... ... IIS security checklists] 3) install firewall and antivirus, ... (microsoft.public.inetserver.iis.security) RE: .pdf security using ASP.NET security... ... I am wondering if using the aspnet_isapi.dll to handle PDF files security ... IIS has a list of Application Mappings which dictate whether a particular ... entries that tell aspnet_isapi.dll what to do with various file types. ... Files that do have app mappings require all the same steps, ... (microsoft.public.dotnet.framework.aspnet.security) Re: impact of mapping .??? to ASP.NET ISAPI??? ... security issue, either from ASP.NET or IIS (this is something that my ISP ... > entries that tell aspnet_isapi.dll what to do with various file types. ... > process the request. ... (microsoft.public.dotnet.framework.aspnet.security)