Site Security Planning

Previous Topic Next Topic

A Least-Access Approach

A least-access approach to security means that you should lock down, turn off, or remove online assets that do not require online access. Furthermore, you should only allow access to resources to those who truly require it.

This approach tends to greatly reduce such calamities as loss of data and denial of service that are due to the unwitting actions of users who wandered into areas in which they did not belong. It also minimizes the number of potential easy entry points for unauthorized users. For example, you might want to open only Transmission Control Protocol (TCP) ports 80 (HTTP) and 443 (HTTPS) for access to your Web services, and turn off the others. Other examples include disabling guest user accounts, as well as restricting anonymous users to read-only access in well-defined areas of the site.

Most of your effort should be spent securing assets that are potentially under threat, and to which Information Technology staff or users need access. This requires that you prioritize threats, assigning the highest security needs to those assets whose loss could most damage the organization.

See the following:


© 1997-1999 Microsoft Corporation. All rights reserved.