Re: IIS, homenetwork, teenager, sercurity

From: Christopher Haun (a-chaun_at_NOSPAMmicrosoft.com)
Date: 01/12/04 

Date: Mon, 12 Jan 2004 01:36:30 GMT

I applaud your desire to let your son learn by doing and I applaud your
insistence on security.

Having a webserver in your home network is not like leaving the frontdoor
of your house ajar for any uninvited bum to stroll through. It can be but
usually is not.

The first danger comes from worms and scripts that probe for weaknesses.
The starting point here in my opinion begins with three things, at least
one of which you have already mentioned.

1. Firewall. Firewall -
http://www.microsoft.com/security/protect/windowsxp/firewall.asp. It may
be that the Broadband router you are using to share your internet
connection is giving you some hardware firewall protection. But even so,
it is a good idea to have any PC that is connected to the internet
protected by a firewall. XP has its own firewall. Other third-party
vendors make firewalls. High recommendations either way.

2. Updates. Ensure that windowsupdate is set to automatically install and
download. This way you'll be able to keep on top of your critical patches.
 Generally speaking, Microsoft plugs their security holes with a patch
before anyone can write and use exploit code against it.
http://www.microsoft.com/security/protect/windowsxp/updates.asp

3. Antivirus -
http://www.microsoft.com/security/protect/windowsxp/antivirus.asp. (not so
much an IIS matter but a good idea anyway.)

4. Insist that your son install the IIS Lockdown Tool. You can download it
for free from:
http://www.microsoft.com/windows2000/downloads/recommended/iislockdown/defau
lt.asp
It will lock permissions down on the box. Also, he needs to make sure that
he is not giving the Iusr account or the Iwam account Full Control
anywhere. Those two accounts need to be limited to RX/L/R (Read&Execute,
List, and Read) on the NTFS level of the folder(s) containing the pages and
pictures that are served by IIS (cf., 271071 HOW TO: Set Basic NTFS
Permissions for IIS 5.0 - http://support.microsoft.com/?id=271071)

5. It is a good idea to not keep any sensitive files on a webserver (or any
PC connected to the internet for that matter). If you've got a document or
spread*** that contains credit card numbers, social security numbers, or
any other valuable, sensitive, or otherwise embarrasing file, consider not
having such a file on a box that is connected to the WWW.

6. A good idea for any machine, whether it is connected to the internet or
not, but especially for those connected to the internet, is to make regular
backups of data or of the entire harddrive. when a hard drive crashes or a
machine gets hacked, the best thing to do is "restore from latest known
good backup" or reinstall the OS.

For further study, have your son investigate pages like:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
ol/iis/iis5/deploy/depovg/securiis.asp

I hope that helps,

Chris - IIS Team

[Standard disclaimer: These suggestions given without warranty, guarantee,
and/or the conveyance of any rights.]

Loading