 | ||
|
| ||
| ||
|
| ||
Mary Haggard
Program Manager
Microsoft Corporation
July 9, 1997
The following article was originally published in Site Builder Magazine (now known as MSDN Online Voices).
If you're in charge of building an Internet presence for your company, security issues probably make you cringe. However, with a few precautions, and a little luck, you should be able to sleep better at night knowing that you've reliably secured important data on your Web site. Security issues on the Web really aren't much different in concept than security issues have always been in your organization. At the most basic level, you need to keep both malicious hackers and careless employees from causing problems with your Web servers.
Believe me, we at Microsoft know how daunting Web-security issues are. Like developers at many software companies, our programmers have had to scramble to fix shortcomings in our code -- as ingenious college students uncover security holes in our browser product, or more recently, when a hacker helped briefly clog our World Wide Web server. We've learned the hard way, and a very significant part of our mission is to put what our programmers quickly learned to work for you -- so you won't have to feel our pain. This For Starters column introduces you to security issues you should plan for, and the latest in security technologies. It also points to a lot of great information, so you can get up to speed on security issues, and quiz your ISP to ensure that its security systems are top-notch.
Evaluate your security needs. This is the most important part of the process. Ask questions, such as: How sensitive is this data? How many ways are there to access the data? Who would want this data and why? How many people need to access each set of data?
Security is a combination of technology and policy. Good security policy includes physically securing access to sensitive resources such as servers. It also means that local logon rights to sensitive resources are only given to trusted individuals, enforcing a strong password policy (there are tools in Windows NT to enforce this), and using the extensive auditing facilities in Windows NT to track the state of security on your networks.
Configure Windows NT properly -- when taken straight from the box, most of its security options aren't turned on to their highest levels. The Securing Windows NT Installation 
white paper covers how to configure NT security options and what's important to know. The How to set up a secure IIS site section details how an organization can secure IIS.
Read up on Windows NT security, and quiz your ISP about how its security is set up. A key part of configuring WIndows NT is carefully choosing user groups, and setting their access rights to minimal levels. Great information on how to set up Windows NT user groups is available in the Resource Kit and in the Windows NT documentation .
Educate your users and Web administration staff. It does you no good to secure your Web site if your work is undone by carelessness. Be sure your users know how security levels are set and why. Remember, carelessness includes leaving a door unlocked; be sure your physical hardware is secure, or that your ISP is located in a secure facility.
Secure the network. The two risks from network connections are other network users and unauthorized network taps. If the network is entirely contained in a secure building, the risk of unauthorized taps is minimized or eliminated. If the cabling must pass through unsecured areas, use optical fiber links rather than twisted pair to foil attempts to tap the wire and collect transmitted data. Talk with your ISP representatives about what security they've set up in their physical buildings.
Are you planning to conduct business over the Internet? If so, you need to be acquainted with the many issues that will face you and your customers regarding secure and confidential information transmission over the Internet. You need to have serious conversations with your ISP reps about how their systems are set up to perform commerce over the Web. For instance, how do you validate that credit card information is legitimate, both from your side and the customer's? How do you ensure that the information sent over the Internet is properly encrypted? How do you confirm order placement and receipt?
Worry most about having a secure server, and ensuring that your ISP is up to date with the latest security advances and has the software installed. Here's the latest:
-- the new name for the follow-on release of Microsoft Merchant Server 1.0.One more hint: The latest information on security is always available at the Microsoft Security Advisor Web site.
Intranet concerns? Connecting your corporate LAN to the Internet, without compromising your internal security, is a risky proposition. Proxy servers help reduce this potential danger by regulating LAN-Internet traffic to maximize the security and efficiency of intranet applications. Proxy servers come with other bonuses, such as support for audio and video streaming protocols, powerful caching, and the ability to filter out those "undesireable sites."
However, using Microsoft Proxy Server requires minor client-side software changes, and may require changes to servers as well. The Microsoft TechNet site's white paper on proxy servers can help answer a lot of your questions about intranets and security. You can find more information at the Microsoft Proxy Server Web site.
You also need to be aware of the security issues involved in providing access to -- and from -- the Internet community. Chapter 2, "Server Security on the Internet," in the Windows NT Server Internet Guide contains information on using network topology to provide security.
Microsoft Certificate Server (which is included free with IIS 4.0 and is in the IIS 4.0 beta 2) issues digital IDs to employees, vendors, and users/members to allow specific, secure access to areas of your Web site. These IDs can be used over SSL for client and server authentication. This enables you to share information, without providing open access to vulnerable areas. See the Web site for more details.
Recently, a hacker exploited a Denial of Service issue with IIS on Microsoft's World Wide Web site. The attack brought down our servers for several hours. The IIS team did a great job of building a fix for the problem, and the servers were back up quickly. Because it is illegal to knowingly crash or bring down Web sites, and the attacker can be subject to criminal penalties, law enforcement agencies can help you track down the attacker.
Since taking early retirement as commander of the Starship Enterprise and joining Microsoft, Mary Haggard has worked her way through the ranks to her lifelong goal, being Program Manager for the MSDN Online Web publishing team. Mary once worked in a paper mill, so she knows pulp when she sees it.
Now that you're well on your way to implementing great Web sites, a perfect place to direct specific technical how-to questions is to the Web Men Talking, MSDN Online's "Answer Guys."
Did you find this material useful? Gripes? Compliments? Suggestions for other articles? Write us!
© 1999 Microsoft Corporation. All rights reserved. Terms of use.
Back to top