Site Security Planning

Security Checklists

Make your Web site security policies complete and explicit. Link them to practices that include recording information in security checklists. Emphasize accountability by requiring signatures of employees who fill out the checklists.

Example: Security Initialization Checklist

Create a checklist for each server platform and the Web services running on it. Record items that impact security (see Table B.3):

• Storage formats used
• Bug fixes and service packages
• TCP port access information

You can use the sample checklist in Table B.3 to record security information for a Windows 2000–based server used as a Web site. The checklist reflects a least-access approach to security.

Table B.3   Sample Windows 2000/IIS 5.0 Security Initialization Checklist

1. Server Initialization

   Computer name___________________________________________
   Setup by Name (print):_______________________________
   Signature__________________________________
   Setup date ___________________________________________
   
   Computer manufacturer/model____________________________
   CPUs, make, model, speed____________________________
   Memory _______________  Network card(s) _____________________
   __________________________________________________________
   
   Hard drive formatted in NTFS Yes __  No __
   NTFS 8.3 Name Generation turned off Yes __  No __
   
   Service Packs and hot-fixes appliedDate applied/reference

   Windows 2000____________________________________________
   ____________________________________________
   ____________________________________________

   IIS 5.0____________________________________________
   ____________________________________________
   ____________________________________________

   SSL____________________________________________
   ____________________________________________
   ____________________________________________

____________________________________________
____________________________________________
____________________________________________

2. TCP Ports Access Limits
   Port 80 access by SSL only Yes____   No____
   Port 443 access by SSL onlyYes____   No____

TCP Notes (other ports and access methods used)________________
__________________________________________________________
__________________________________________________________
__________________________________________________________

3. Unneeded Services Log

ServiceInstalled/Enabled

FTP PublishingYes___   No___   Note________________
NNTP ServiceYes___   No___   Note________________
SMTP ServiceYes___   No___   Note________________
Content IndexYes___   No___   Note________________
Certification AuthorityYes___   No___   Note________________
Plug and Play (recommended)Yes___   No___   Note________________
RPC LocatorYes___   No___   Note________________
(required for remote administration)
Server ServiceYes___   No___   Note________________
Telephony ServiceYes___   No___   Note________________
Remote AccessYes___   No___   Note________________
(required for dialup access)
AlerterYes___   No___   Note________________
ClipBook ServerYes___   No___   Note________________
Computer BrowserYes___   No___   Note________________
DHCP ClientYes___   No___   Note________________
MessengerYes___   No___   Note________________
Net LogonYes___   No___   Note________________
Network DDE and DSDMYes___   No___   Note________________
Network Monitor AgentYes___   No___   Note________________
Simple TCP/IP ServicesYes___   No___   Note________________
SpoolerYes___   No___   Note________________
NetBIOS InterfaceYes___   No___   Note________________
TCP/IP NetBIOS HelperYes___   No___   Note________________
WINS Client (TCP/IP)Yes___   No___   Note________________
NWLink NetBIOSYes___   No___   Note________________
NWLink IPX/SPXYes___   No___   Note________________

© 1997-1999 Microsoft Corporation. All rights reserved.