Question : Penetration testing

Hi all,

I am trying to prepare two of my ASP.NET sites for a penetration test. I wanted to garner opinion from everyone on the subject so I can be as prepared as possible. What are the top things I should be checking and how can I give myself the best chance of withstanding the attack?

Answer : Penetration testing

To elaborate, some of the things I have done on IIS web servers are:

1. URLScan to block SQL Injection -

2. Remove unnecessary modules on IIS like SMTP, FTP & NNTP.

3. Ensure Windows Firewall is on, blocking all but port 80 and 443 (if using SSL) - but also make sure the server is behind a physical firewall (in case the software firewall fails)

4. Run each website and each application in it's own application pool and designate a user to each, restricted to it's own app pool.

5. Disable all unnecessary users and if possible, keep the server off the Active Directory domain - I keep all web servers in a workgroup.

6. Stick all web servers in a DMZ on a separate subnet to your SQL and back-end servers.

7. Enable auditing in the local security policy and establish a regular routine of monitoring event logs.

8. Use Microsoft Log Parser to pipe all IIS web logs into a SQL server db and run regular queries over the table to look out for suspicious activity:

9. And finally - pay a 3rd party to regularly pen test your server! You can find a host of cheap providers out there and it's always worth having someone else pen test as they may find holes you may overlook. I can highly recommend our Cisco provider who pen tests us:

I hope this helps!
Random Solutions  
programming4us programming4us