Jack,

Thank you very much! You definately give me enough to
start with. Great help!

~Sheldon


--- Jack_Speranza <jsperanza@g...>
wrote:
> 
> Sheldon --
> 
> Assuming the security plan you are preparing is for
> purposes of 
> describing the integrity of your application and
> systems, here is
> a short list of things I can think of with regard to
> the issues
> you might need to address (there can be no standard
> plan, because
> every application and network configuration is
> different):
> 
> 1. Identify the open "doors" to the outside world as
> it relates to
> the components of your application.  For example,
> will outside access 
> to the web server be limited to ports 80 and 443
> (regular web traffic
> and SSL)?  Have/will you be taking measures to close
> down all other
> open ports and services on your web server?  Will
> outside network 
> traffic be directed through a firewall, load
> balancer, or other
> network appliance, and how will these be used to
> secure your application
> from crackers?
> 
> 2. What systems do you have in place to monitor
> against potential
> exploits?  For example, will you be using a
> third-party IDS 
> (intrusion detection system)?  Will an individual be
> charged with the
> responsibility of monitoring and analyzing network
> traffic, web 
> server log files, etc?
> 
> 3. Are there other applications running on your web
> server through
> which a cracker could gain access to your
> application and/or
> network?  For example, will you be running a mail
> service or 
> similar processes on your machine?  Is your data
> store on the same
> machine?  If so, will data store access be limited
> to the web 
> application or will other applications interface as
> well?  If 
> yes, what is the security of these other
> applications?
> 
> 4. What user roles/privileges are associated with
> your web application
> and related dlls?  Have you limited privileges to
> the barest minimum
> so that if an area is compromised, you are not
> granting unfettered
> access to the entire system and/or network?
> 
> 5. Does your network configuration present any
> vulnerabilities?  For
> example, if there are the internal facing network
> connections, do 
> these present any potential vulnerabilities (i.e. -
> an attack from 
> the "inside").   
> 
> I'm sure there are others, but this is a general
> overview of issues
> you might need/want to address.  Hope it's helpful.
> 
> 
> Jack 
> 
> 
> -----Original Message-----
> From: Xiaodong(Sheldon) Yan
> [mailto:hisheldon@y...]
> Sent: Thursday, January 23, 2003 11:22 AM
> To: Security_asp
> Subject: [security_asp] Security Plan.
> 
> 
> Hi,
> 
> Need to write up Application Design portion of a
> security plan for our new 
> web site. I am new in web development and want to
> know what security 
> issues need to be addressed in the Application
> Infrastrure Design.
> 
> (1) The site is hosted on an IIS/Win2k server.
> (2) Microsoft Access used to store data.
> (3) DLLs written in VB to talk to the Access
> database through ADO/ODBC.
> (2) ASP/VBscript are used.
> 
> Any "design plan" available?
> 
> Thank you,
> 
> ~Sheldon
> 


__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com