It just goes to show you that any networked device that is publicly avialable is a candidate for being hacked. Web servers that are not properly secured can have privledged information published by none other than Google. I was thinking that these days people had a bit more consiousness about web server security but I live in a world where people are really focused on such priorities. All too often, the person installing the web server is not skilled enough to do so properly, but nevertheless it falls to them to get the office web server on the internet somehow. Sites like this are prime candidates for leaching privledged info onto a search engine or being compromised by by attackers due to improper configuration.
http://www.pcw.co.uk/news/1157132
If you're reading this and going "yeah that's me, but am I supposed to do", here are a few tips.
1. Browse your website completely. View everything that's viewable. Make sure that what you want is all that's exposed. You can find software that will make a list for you of all available content.
2. Use a firewall to restrict all but port 80 on your public NIC.
3. Install intrustion detection software on your server.
4. Keep your server patched with the most recent hotfixes. You're a SERVER admin now.
5. On IIS 5, read the article at http://www.iisanswers.com/articles/IIS_Lockdown/IISLockdown.htm and run the IIS Lockdown tool. Move to IIS 6 ASAP. With IIS 6 verify your NTFS permissions don't allow the IUSR account to do anything you don't require. If you don't know what NTFS or the IUSR account are, STUDY NOW.
6. Move your content to a drive other than the C: drive.
7. If the information on your server is important and you would be really seriously impacted if the information or server was compromised (keeping in mind that all computers and devices connected to the IIS server are likely to be compromised as well), then purchase or hire a simple penetration testing service or software. This can save you!
There is a great deal more of course, but these tips are directed toward actions that an inexperienced admin can take to keep them out of trouble.
-brett
End of Article
.
8. Recycle some older hardware and load up a free version of one of the many, much more secure Linux OS's and run Apache.
Anonymous User December 17, 2004