Stuart McClure's Daily Security Tips for the Week of October 28th
Web Security Tip for Friday, November 1st, 2002
Remove extended stored procedures With just about any database server, a number of default installed stored procedures will come installed. You must take the time to review each of these stored procedures and determine your application's need for them (if any). Typically, they are not necessary and can be removed.
Web Security Tip for Thursday, October 31st, 2002
Harden the web server By default, most web servers come installed with a number of added functionalities. And while all these features are great, they expose any application to a significant number of vulnerabilities. As such, you must review all features installed by default (such as ISAPI filters), and determine the business need. For the most part, very few of these features are typically required in the standard web application. A number of automated tools can perform this function including urlscan and iislockdown (www.microsoft.com/security) from Microsoft.
Web Security Tip for Wednesday, October 30th, 2002
Remove those sample files Every web server and database available comes with a few or more sample files. These files are provided by the vendor to help developers get up to speed quicker in developing that killer app. But a single sample file (which is typically poorly written in terms of security) can provide a gaping hole in your web server allowing an attacker to gain complete access. So remove all unnecessary files immediately.
Web Security Tip for Tuesday, October 29th, 2002
Source code review Finally, and as a first or last step, it is essential that you perform some sort of source code review. Whether you hire an objective third party such as Foundstone (www.foundstone.com) to perform the review or you employ peer review within your development groups, source code review is critical in unearthing the most difficult of security problems.
Web Security Tip for Monday, October 28th, 2002
Scan for vulnerabilities No security review would not be complete without scanning the web site for existing vendor and programmer vulnerabilities. A number of technologies exist that help automate this process including FoundScan™ from Foundstone (www.foundstone.com), and free tools such as N-Stealth scanner from N-Stalker (www.nstalker.com). Each of these technologies will look for known vendor vulnerabilities such as IIS's Index Server vulnerability (a.k.a. Code Red worm), but only FoundScan looks for unknown vulnerabilities, or those introduced by a web site's developer.