IIS and Database Server Security

Various high-profile hacking attacks have proven that Web security remains the most critical issue to any business that conducts its operations online. Web servers are one of the most targeted public faces of an organization because of the sensitive data they usually host. Securing a Web server is as important as securing the Web site or Web application itself and the network around it. If you have a secure Web application and an insecure Web server, or vice versa, it still puts your business at a huge risk. Your company’s security is as strong as its weakest point.

Although securing a Web server can be a daunting operation and requires specialist expertise, it is not an impossible task. Long hours of research and an overdose of coffee and take-out food can save you from long nights at the office, headaches, and data breaches in the future. Irrelevant of what Web server software and operating system you are running, an out-of-the-box configuration is usually insecure. Therefore, one must take some necessary steps in order to increase Web server security. Below is a list of tasks one should follow when securing a Web server.

Access – Remote / Local

Although it is not practical, when possible, server administrators should log in to Web servers locally. If remote access is needed, one must make sure that the remote connection is secured properly by using tunneling and encryption protocols. Using security tokens and other single sign-on equipment and software is a very good security practice. Remote access also should be restricted to a specific number of IPs and to specific accounts only. It is also very important not to use public computers or public networks to access corporate servers remotely, such as in Internet cafes or public wireless networks.

Separate Production / Development Environment

Since it is easier and faster for a developer to develop a newer version of a Web application on a production server, it is quite common that development and testing of Web applications are done directly on the production servers itself. It is a common occurrence on the Internet to find newer versions of a specific Web site or some content which should not be available to the public in directories such as /test/, /new/, or other similar sub-directories. Because such Web applications are in their early development stages, they tend to have a number of vulnerabilities, lack input validation, and do not handle exceptions appropriately. Such applications could easily be discovered and exploited by a malicious user by using free available tools on the Internet.

Privileges and Permissions

File and network services permissions play a vital role in Web server security. If a Web server engine is compromised via network service software, the malicious user can use the account on which the network service is running to carry out tasks, such as execute specific files. Therefore, it is very important to always assign the least privileges needed for a specific network service to run, such as Web server software. It is also very important to assign minimum privileges to the anonymous user which is needed to access the Web site, Web application files, and backend data and databases.

Security Patches

Having fully patched software does not necessarily mean your server is fully secure. It is still very important to update your operating system and any other software running on it with the latest security patches. Hacking incidents still occur because hackers took advantage and exploited un-patched servers and software.

User Accounts

Unused default user accounts created during an operating system install should be disabled. There is also a long list of software that when installed, creates user accounts on the operating system. Such accounts should be checked properly, and permissions need to be changed. The built-in administrator account should be renamed and should not be used. The same goes for the root user on a linux / unix installation. Every administrator accessing the Web server should have his own user account with the correct privileges needed. It is also a good security practice not to share user accounts.

Security Tools

Microsoft released a number of tools to help administrators secure IIS Web server installations, such as URL scan. Although configuring such tools is a tedious process and can be time consuming, especially with custom Web applications, they do add an extra bit of security and peace of mind.

Keep Informed

Information and tips on the software and operating system being used can be found freely on the Internet. It is very important to stay informed and learn about new attacks and tools by reading security-related magazines and subscribing to newsletters, forums, or any other type of community.

These are just a few of the items that need to be addressed when attempting to secure the Web and database servers. The end result is still the same. Creating an environment that is both secure and usable while maintaining integrity and performance is the goal.



MiniSoft, Inc. is a global software company specializing in collection management software for legal and professional service firms. They offer extensive reporting and trending capabilities, automatic business processing, seamless integration with Microsoft Outlook, and handling of multiple offices and currencies. Click here for more information.

Return to Forefront main page »
Thomson Reuters Elite Headquarters
800 Corporate Pointe, Suite 150, Culver City, CA 90230
© 2015 Thomson Reuters
Thomson Reuters