WebApp Sec mailing list archives
RE: Windows 2003 Server Hardening
From: "Aleksander P. Czarnowski" <alekc () avet com pl>
Date: Fri, 19 Aug 2005 21:11:45 +0200
Would anyone happen to have a document or recommendations for hardening a Windows 2003 Server public facing Web/FTP/Mail server?
Many publications does not look at this issues at architecture level but rather focus on base system and particular server application hardening. First of all I wouldn't put all those services on one host. Secondly I would reconsider using FTP - while IIS FTP has a very good record in terms of security, other popular Windows and Unix FTP servers has been vulnerable to many buffer overflow / format string attacks in the past. Secondly I would advise to implement strong network traffic filtering both inbound and outbound (which can limit risk of penetrating system by script kiddies who are not able to rewrite shellcode to do something else than reverse shell). Also snort - in proper configuration, even installed on the server itself - can be very good add-on. Keep in mind that there are few interesting HIDS solutions available for Win32 systems that extend VS /GS cookie based stack protection and DEP mechanism. Coming down to code security it is important to review (web)applications that are installed and available to users. Such approach in case of MS IIS technology has been demonstrated here: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/THCMCh21.asp It demonstrates for example use of ILDASM for binary code auditing created with .NET. Just few thoughts Best Regards, Aleksander Czarnowski AVET INS
Current thread:
- RE: Cookie not expiring..., (continued)
- RE: Cookie not expiring... Dan Simon (Aug 17)
- Re: Cookie not expiring... Rogan Dawes (Aug 17)
- Re: Cookie not expiring... Thomas Chiverton (Aug 17)
- RE: Cookie not expiring... Steven Rebello (Aug 17)
- RE: Cookie not expiring... David Knapman (Aug 17)
- Re: Cookie not expiring... dharmeshmm (Aug 17)
- RE: Cookie not expiring... Dan Simon (Aug 17)
- Windows 2003 Server Hardening Joe Osborn (Aug 18)
- Re: Windows 2003 Server Hardening jcarr083 (Aug 19)
- RE: Windows 2003 Server Hardening Sarbjit Singh Gill (Aug 19)
- RE: Windows 2003 Server Hardening Aleksander P. Czarnowski (Aug 19)
- RE: Cookie not expiring... Dan Simon (Aug 17)