Mr Santauro is no longer with this COMPANY

Evie x

-----Original Message-----
From: Jack_Speranza [mailto:jsperanza@g...]
Sent: Friday, January 24, 2003 3:30 AM
To: Security_asp
Subject: [security_asp] RE: Security Plan.



Sheldon --

Assuming the security plan you are preparing is for purposes of
describing the integrity of your application and systems, here is
a short list of things I can think of with regard to the issues
you might need to address (there can be no standard plan, because
every application and network configuration is different):

1. Identify the open "doors" to the outside world as it relates to
the components of your application.  For example, will outside access
to the web server be limited to ports 80 and 443 (regular web traffic
and SSL)?  Have/will you be taking measures to close down all other
open ports and services on your web server?  Will outside network
traffic be directed through a firewall, load balancer, or other
network appliance, and how will these be used to secure your application
from crackers?

2. What systems do you have in place to monitor against potential
exploits?  For example, will you be using a third-party IDS
(intrusion detection system)?  Will an individual be charged with the
responsibility of monitoring and analyzing network traffic, web
server log files, etc?

3. Are there other applications running on your web server through
which a cracker could gain access to your application and/or
network?  For example, will you be running a mail service or
similar processes on your machine?  Is your data store on the same
machine?  If so, will data store access be limited to the web
application or will other applications interface as well?  If
yes, what is the security of these other applications?

4. What user roles/privileges are associated with your web application
and related dlls?  Have you limited privileges to the barest minimum
so that if an area is compromised, you are not granting unfettered
access to the entire system and/or network?

5. Does your network configuration present any vulnerabilities?  For
example, if there are the internal facing network connections, do
these present any potential vulnerabilities (i.e. - an attack from
the "inside").

I'm sure there are others, but this is a general overview of issues
you might need/want to address.  Hope it's helpful.


Jack


-----Original Message-----
From: Xiaodong(Sheldon) Yan [mailto:hisheldon@y...]
Sent: Thursday, January 23, 2003 11:22 AM
To: Security_asp
Subject: [security_asp] Security Plan.


Hi,

Need to write up Application Design portion of a security plan for our new
web site. I am new in web development and want to know what security
issues need to be addressed in the Application Infrastrure Design.

(1) The site is hosted on an IIS/Win2k server.
(2) Microsoft Access used to store data.
(3) DLLs written in VB to talk to the Access database through ADO/ODBC.
(2) ASP/VBscript are used.

Any "design plan" available?

Thank you,

~Sheldon