Is there any Security software recommendation for Windows Server 2003 as a Web Application/Website server?
Or any particular settings I should adjust before making a website to be Live.
Is there any Security software recommendation for Windows Server 2003 as a Web Application/Website server?
Or any particular settings I should adjust before making a website to be Live.
A few recommendations:
(1) Secure the base operating system, relational database, application server and HTTP server http://iase.disa.mil/stigs/stig/index.html
(2) If possible, use 2008 instead of 2003
(3) Consider posting a diagram of your network here, with IP addresses removed, but describing ports, protocols, management interfaces and trust relationships so we may review it.
(4) Check out the OWASP site and learn more about how to build a secure web application, scan it for vulnerabilities, and standard errors programmers make http://www.owasp.org/
(5) Get a web application scanner and review your code. If you are using compiled languages, you can do some static analysis too.
(6) When moving code from (A) development, to (B) staging, to (C) production, I previously used different servers for each. This also enabled reviews of each site, prior to moving it to another stag.
You should look at the security baselines in the server 2003 security compliance management toolkit. Chapters 8 and 9 talk about IIS/web server security. Also readn and implement the IIS6 security best practices. I'm not to sure about anything from CIS. Lastly develop an upgrade plan to get to server 2008. Many of the improvements were around security.
If you are serious about it, you can use the CIS benchmarks to get your system to a known state:
Server 2003. IIS, & MySQL
Also, you could look into a web application firewall (Like ModSecurity)--Check out the following SF questions on WAF:
Hope this helps!
Josh
Although, it hasn't been maintained I would recommend Core Force security system:
http://force.coresecurity.com/
It'll take some setting up, but it has a lot of features that SHOULD be in Windows by default (like a decent firewall).