[thelist] SECURITY: testing your own sites security

Sean G. ethanol at mathlab.sunysb.edu
Thu Jun 20 21:48:01 CDT 2002


A good place to start is http://www.microsoft.com/security/ and "Microsoft
Baseline Security Analyzer", which I have not personally used but supposedly
scans Windows (NT4 SP4+, 2000), IIS (4, 5), and SQL (7, 2000) servers plus
IE for known security issues.  See KB article Q320454 for more info.

You also might want to check into http://www.NTBugtraq.com/

But before you start with any of that--Disable all default and built in
accounts on all servers and devices exposed to the internet!  No 'admin'
accounts, no active 'guest' accounts.  All these built in accounts are well
known starting points for attacks.  If you need access to a resource, create
an account and give it only the minimum required permissions.

While you're doing that, make sure the default state for your firewall is to
block all traffic, and it's only passing through the ports and protocols
you've specified.

And don't overlook physical security.  All the firewalls and passwords in
the world don't do much good when your server is sitting under a desk in a
cubicle where anyone can walk up and insert a floppy, or worse, walk off
with the server!

HTH  =)

Sean G.

-----Original Message-----

(i'm using win2k advanced server.)

i'd like to know where i can find some tools, or suggestions on how to
best test my websites security.

besides patches and service packs, and let's say, a firewall allowing
only SMTP, HTTP, HTTPS traffic through... any other suggestions? also...
where is a good resource that explains in laymans terms what the
difference between TCP, UDP, and ICMP packets are? as well ACK, SYN,



More information about the thelist mailing list