Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi all! We have been experiencing an issue on site where threads have been missing the latest postings. The platform host Vanilla are working on this issue. A workaround that has been used by some is to navigate back from 1 to 10+ pages to re-sync the thread and this will then show the latest posts. Thanks, Mike.
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

How do you protect your MS / IIS web server... !?

  • 15-12-2014 9:40pm
    #1
    rolion
    Closed Accounts Posts: 3,362 ✭✭✭


    Hello,

    I have a MS Server 2008 & 2012 that I am using to host my clients web sites.
    Is a physical boxes somewhere in a data centre.

    How do you protect the server(s) ,the IIS and / or the websites against the threads that are out there !?
    Are you using a hardware or software firewall ?
    Any antivirus installed on the servers ?

    Thanks.


Comments

  • #2
    Aswerty
    Registered Users, Registered Users 2 Posts: 586 ✭✭✭Aswerty


    Not a system admin but have worked on a few MS Server 2008 production machines. In one place we had a hardware firewall which was managed by our service provider, in another we just used the inbuilt software firewall. The software approach is so finicky, really not a real option in a production environment. The software firewall also means the production machine gets hit with all the malicious requests, with the hardware your machines are nicely isolated from this.

    I can't really remember what we had for AV, I think one place had McAfee in use.

    As a developer I used asafaweb.com for doing some basic configuration analysis for web applications.

    We also removed default accounts on the servers and databases and put high entropy passwords on the active accounts. We also encrypted passwords (e.g. database password) in the web application config files.

    We used a VPN for remotely accessing the servers, via RDP, so that we didn't have to keep ports open for creating an incoming connection.

    OWASP is a great security resource, though I'm far less familiar with their best practices than I should be. I'm sure I'm only scratching the surface of what needs to be done. I'd hope some better experienced folks can chip in.


Advertisement