Reviewing Security Policies, Processes, and Procedures
Applies To: Windows Server 2003, Windows Server 2003 with SP1
As a part of maintaining the security of your Web server, you must perform periodic reviews of the security policies, processes, and procedures in use by your organization. Review your security practices for any changes that might affect the security of the Web server. These changes in security practices can include the following:
Ensuring that any recent security risks are mitigated:
As new security risks are identified, such as new viruses, you need to ensure that your security practices help mitigate these risks. If your current security practices do not address the new risks, then modify them to help mitigate the risks.Identifying changes in Web server configuration that can compromise security:
Through the course of normal administration of the Web server, configuration changes are made. During this process, security settings might have been inadvertently changed. You need to periodically review the configuration of the Web server to ensure that it complies with the security requirements of your organization.
You can categorize these Web server security practices by their function, such as operating system security, security policies, firewall security, and router security. In addition, the frequency with which these processes and procedures are completed varies. Some security practices need to be completed continuously while others might be completed monthly.
Table 3.14, Table 3.15, Table 3.16, and Table 3.17 list examples of security policies, processes, and procedures for an ISP, grouped by categories. These examples are representative of the types of security practices that are required to maintain the security of your Web server. For more information about the security policies, processes, and procedures for your Web server, see Managing a Secure IIS 6.0 Solution.
Table 3.14 Windows Server 2003 Operating System Security
Security Policy, Process, or Procedure | Frequency |
---|---|
Limit user rights to only those that are required. |
Constant |
Limit any windows for vulnerabilities that can be exploited when deploying new servers. |
Constant |
Limit Terminal Services access to only necessary accounts. |
Constant |
Run a two-tier DNS structure to protect the identity of internal servers. |
Constant |
Run an intrusion detection system. |
Constant |
Scan the ports in use on your server addresses and addresses assigned to remote users. |
Daily |
Review event and IIS logs. |
Weekly |
Test firewalls from inside and outside by using port scanners and other appropriate tools. |
Weekly |
Table 3.15 Windows Server 2003 Policy Security
Security Policy, Process, or Procedure | Frequency |
---|---|
Explicitly deny interactive logon user right to all non-administrative accounts. |
Constant |
Explicitly deny "Allow logon through Terminal Services" user right to all non-administrative accounts. |
Constant |
Enable FULL (Success/Failure) auditing on domain Group Policy objects. |
Constant |
Send event notification when events like User added to Domain Administrators occur. |
Constant |
Allow only Administrators to have write permissions on all content servers. |
Constant |
Require strong passwords for all users. |
Constant |
Require smart cards for all administrators. |
Constant |
Allow administrators to log on only to specific workstations. |
Constant |
Enable account lockout policies for failed logon attempts. |
Constant |
Audit the domain Group Policy object. |
Monthly |
Audit Active Directory user rights. |
Monthly |
Audit all servers to determine if nonessential services are running. |
Monthly |
Table 3.16 Firewall and Router Security
Security Policy, Process, or Procedure | Frequency |
---|---|
Restrict the network segments where management traffic is allowed. |
Constant |
By default, deny IP traffic and log any failed attempts. |
Constant |
Ensure that the minimal firewall rules are enforced, including:
|
Constant |
Table 3.17 Miscellaneous Security
Security Policy, Process, or Procedure | Frequency |
---|---|
Run virus scans on all servers. |
Constant |
Monitor security distribution lists and newsgroups for potential security issues. |
Constant |
During virus outbreaks, block any suspicious content (such as e-mail attachments). |
Constant |
Monitor the number of Non-Delivery mail reports generated (indicates e-mail spamming). |
Weekly |
Monitor Simple Mail Transfer Protocol (SMTP) relay attempts that are not valid (indicates e-mail spamming). |
Weekly |
Audit accounts to determine the users who are no longer employed at the organization, partner organizations, or customer organizations. |
Monthly |