>>>>> "Alberto" == Alberto U Begliomini <aub @
Alberto> I am looking for documentation, articles, and papers on how
Alberto> to make a NT Web server, sitting on the perimeter network of
Alberto> a firewall, secure.
Aside from the philosophical point that you can never really
understand your risk level with a closed system (i.e., Microsoft
didn't even know their risk, and was taken off the 'net for two days
last week), there are some things that you can do practically.
I can't comment on what tools you can run on an NT host...hopefully
Stuff to do:
o Go write your policy. Articulate, on paper, or electrons, exactly
what hosts will be out there, which IP addresses will be active,
which ports on each IP will be active, what daemon or service will
be responsible for each of those ports, etc. Now you can implement
your solution based on that policy. If you get run over by a bus
or quit suddenly, etc., the poor sucker who has to take over with
no introduction to how things have been set up won't be such a poor
sucker after all.
o Don't run any service you don't need
o Turn on access control lists on your access router. If it's a web
server, don't let anything but tcp/80 come in through the router to
that host. (If you've got other ports doing HTTP, then let them
in, of course, but don't let in anything besides the services you
o If you can, try and rig and alarm such that if anyone DOES hit a
port on that machine that the router is supposed to block, you'll
know about it quickly.
Again, this is not rocket science, but just a straightforward view of
your network and all of its components as a bunch of pieces that
collectively make your network secure.
Matt Curtin Chief Scientist Megasoft Online cmcurtin @
http://www.research.megasoft.com/people/cmcurtin/ I speak only for myself
Pull AGIS.NET's plug! DES has fallen! http://www.frii.com/~rcv/deschall.htm