For Starters: #8. How to Feel Secure

Mary Haggard
Program Manager
Microsoft Corporation

July 9, 1997

The following article was originally published in the Site Builder Network Magazine "For Starters" column.

Why Do I Need to Feel Secure?

If you're in charge of building an Internet presence for your company, security issues probably make you cringe. However, with a few precautions, and a little luck, you should be able to sleep better at night knowing that you've reliably secured important data on your Web site. Security issues on the Web really aren't much different in concept than security issues have always been in your organization. At the most basic level, you need to keep both malicious hackers and careless employees from causing problems with your Web servers.

Believe me, we at Microsoft know how daunting Web-security issues are. Like developers at many software companies, our programmers have had to scramble to fix shortcomings in our code -- as ingenious college students uncover security holes in our browser product, or more recently, when a hacker helped briefly clog our World Wide Web server. We've learned the hard way, and a very significant part of our mission is to put what our programmers quickly learned to work for you -- so you won't have to feel our pain. This For Starters column introduces you to security issues you should plan for, and the latest in security technologies. It also points to a lot of great information, so you can get up to speed on security issues, and quiz your ISP to ensure that its security systems are top-notch.

How Do I Start Feeling Secure?

Evaluate your security needs. This is the most important part of the process. Ask questions, such as: How sensitive is this data? How many ways are there to access the data? Who would want this data and why? How many people need to access each set of data?

Security is a combination of technology and policy. Good security policy includes physically securing access to sensitive resources such as servers. It also means that local logon rights to sensitive resources are only given to trusted individuals, enforcing a strong password policy (there are tools in Windows NT to enforce this), and using the extensive auditing facilities in Windows NT to track the state of security on your networks.

Configure Windows NT properly -- when taken straight from the box, most of its security options aren't turned on to their highest levels. The Securing Windows NT Installation white paper covers how to configure NT security options and what's important to know. The How to set up a secure IIS site section details how an organization can secure IIS.

Read up on NT security, and quiz your ISP about how its security is set up. A key part of configuring NT is carefully choosing user groups, and setting their access rights to minimal levels. Great information on how to set up Windows NT user groups is available in the Resource Kit and in the Windows NT documentation .

Educate your users and Web administration staff. It does you no good to secure your Web site if your work is undone by carelessness. Be sure your users know how security levels are set and why. Remember, carelessness includes leaving a door unlocked; be sure your physical hardware is secure, or that your ISP is located in a secure facility.

Secure the network. The two risks from network connections are other network users and unauthorized network taps. If the network is entirely contained in a secure building, the risk of unauthorized taps is minimized or eliminated. If the cabling must pass through unsecured areas, use optical fiber links rather than twisted pair to foil attempts to tap the wire and collect transmitted data. Talk with your ISP representatives about what security they've set up in their physical buildings.

Are you planning to conduct business over the Internet? If so, you need to be acquainted with the many issues that will face you and your customers regarding secure and confidential information transmission over the Internet. You need to have serious conversations with your ISP reps about how their systems are set up to perform commerce over the Web. For instance, how do you validate that credit card information is legitimate, both from your side and the customer's? How do you ensure that the information sent over the Internet is properly encrypted? How do you confirm order placement and receipt?

An excellent overview of how Internet commerce fits into Microsoft's vision of the BackOffice product line can be found in Microsoft Internet Commerce Strategy: A Foundation for Doing Business on the Internet . This white paper also introduces you to important Internet commerce issues that will be helpful to understand when you question your ISP's commerce setup.

What Do I Need to Feel Secure?

Worry most about having a secure server, and ensuring that your ISP is up to date with the latest security advances and has the software installed. Here's the latest:

Windows NT and Internet Information Server (IIS): Service Pack 3 enhances the security of Windows NT and addresses known security issues. Customers who want enhanced security should upgrade their Windows NT 4.0 installations to Service Pack 3.
Authenticode: If you are building ActiveX components for your Web site, you need to seriously consider signing that code. By signing code with Microsoft's Authenticode technology, you allow users to identify who published software and to verify that no one has tampered with the software. Authenticode provides the accountability of a shrink-wrapped software box for code available over the Internet. To learn more, read Signing Code with Microsoft Authenticode Technology and several other Authenticode white papers on the Site Builder Workshop.
Commerce Server: Commerce functionality has been integrated into the Microsoft BackOffice family to provide a commerce-enabled server backend. Microsoft Site Server, Enterprise Edition, which is tightly integrated with Windows NT, provides a comprehensive Web site environment for enhancement, deployment, and the advanced management of commerce-enabled Web sites. The core of this commerce package is Commerce Server -- the new name for the follow-on release of Microsoft Merchant Server 1.0.

One more hint: The latest information on security is always available at the Microsoft Security Advisor Web site.

I'm Secure on the Outside, but Not the Inside

Intranet concerns? Connecting your corporate LAN to the Internet, without compromising your internal security, is a risky proposition. Proxy servers help reduce this potential danger by regulating LAN-Internet traffic to maximize the security and efficiency of intranet applications. Proxy servers come with other bonuses, such as support for audio and video streaming protocols, powerful caching, and the ability to filter out those "undesireable sites."

However, using Microsoft Proxy Server requires minor client-side software changes, and may require changes to servers as well. The Microsoft TechNet site's white paper on proxy servers can help answer a lot of your questions about intranets and security. You can find more information at the Microsoft Proxy Server Web site.

You also need to be aware of the security issues involved in providing access to -- and from -- the Internet community. Chapter 2, "Server Security on the Internet," in the Windows NT Server Internet Guide contains information on using network topology to provide security.

Microsoft Certificate Server (which is included free with IIS 4.0 and is in the IIS 4.0 beta 2) issues digital IDs to employees, vendors, and users/members to allow specific, secure access to areas of your Web site. These IDs can be used over SSL for client and server authentication. This enables you to share information, without providing open access to vulnerable areas. See the Web site for more details.

Sometimes They Don't Want Your Files, They Just Want to be Pests

Recently, a hacker exploited a Denial of Service issue with IIS on Microsoft's World Wide Web site. The attack brought down our servers for several hours. The IIS team did a great job of building a fix for the problem, and the servers were back up quickly. More information on the patch and the drama are on the IIS Web site

. Because it is illegal to knowingly crash or bring down Web sites, and the attacker can be subject to criminal penalties, law enforcement agencies can help you track down the attacker.

Since taking early retirement as commander of the Starship Enterprise and joining Microsoft, Mary Haggard has worked her way through the ranks to her lifelong goal, being Program Manager for the Site Builder Web publishing team. Mary once worked in a paper mill, so she knows pulp when she sees it.

Bet you've got questions

Now that you're well on your way to implementing great Web sites, a perfect place to direct specific technical how-to questions is to the Web Men Talking, the Site Builder Network's "Answer Guys."
For technical how-to questions, check in with the Web Men Talking, the Site Builder Network's answer pair.