4

When Jeff and the StackOverflow team were interviewed on Hanselminutes last fall, Scott was critical of some of the decisions that were made with respect to securing the StackOverflow servers.

My question is, what is the recommended approach to securing a website? Assuming I'm developing an ASP.Net application with a SQL Server database on a separate physical machine, what steps do I need to take to secure my environment from attacks?

Tim Lentine
  • 183
  • 4
  • 9

1 Answers1

4

Some things that come to mind:

  • Web server in DMZ behind hardware firewall
  • SQL Server in separate DMZ/private network separated from Web server by hardware firewall
  • Uninstall/disable all unnecessary services on web server.
  • Web server not on a domain.
  • Minimize local accounts on web server.
  • use URLScan (even if on IIS 6.0) because of web server fingerprinting
  • Use IPSEC policy on web server to block all traffic inbound/bound to SQL Server to only ports that are necessary.
  • Use a non-privileged SQL Server login with minimal rights (whatever it needs to access the database for the application) as the login to connect back to SQL Server.
  • Disable default user accounts. Create new accounts with non-standard names. Use those to run services, etc.
K. Brian Kelley
  • 9,034
  • 32
  • 33