Re: Hardening IIS
- From: "Robert Moir" <robspamtrap+msnews@xxxxxxxxx>
- Date: Sun, 15 Jan 2006 19:36:35 -0000
Jon Phipps wrote:
> Besides running the IIS lockdown tool and MBSA, as well as a good
> firewall and all the updates and patches, what steps can be taken to
> harden an IIS installation against hackers. I have a friend whos site
> has been hacked and he wanted the help to harden things. I am not
> sure if he built the site off the default website(something I am not
> keen on doing because it is the only one which can be hit by an ip
> surf, learned this in the days of red alert and some other worms) how
> ever I would like to help make the site as hard as it can with out
> investing lots of cash.
Without knowing the details of how the previous hacks have succeeded or how
the platform is configured it is impossible to provide any useful tips that
would be of any use to someone who knows enough to use lockdown and MBSA
tools already.
The server could be perfectly secure but the web app/site it is running
could be poorly designed and let the side down. If the webserver is on a LAN
with other machines it could be that one of these is compromised and is
giving up the webserver's secrets.
It could even be that someone has installed a keylogger on the user's
workstation and hence just happens to know all the required usernames and
passwords to gain access to what actually is a perfectly secure site.
--
--
Rob Moir, MS MVP
Website - http://www.robertmoir.co.uk
Virtual PC 2004 FAQ - http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html
Kazaa - Software update services for your Viruses and Spyware.
.
- References:
- Hardening IIS
- From: Jon Phipps
- Hardening IIS
- Prev by Date: Re: Hardening IIS
- Next by Date: Problems deleting Certificate
- Previous by thread: Re: Hardening IIS
- Next by thread: Re: Hardening IIS
- Index(es):
Relevant Pages
|
