I have recently become aware that the web servers on some of the systems I run will have to be made world accessible within the next few months or so.
Currently they are accessible only within the boundaries of my employer's network, but in preparation for the web servers to be made world accessible, I realise that I'm going to have to be a lot stricter on system security and related areas (auditing, policies, locking down service accounts etc) than they are at the moment.
I'm looking for recommendations on books, online training material relating to IT security concepts and theory, best practise with the platforms detailed below and knowledge of certificates and other general security techniques applicable in my situation, useful web links etc.
I've looked into the security certifications available - in my case the Security+ and/or Microsoft 70-299 courses/exams look applicable, but what do people think about these in my circumstances?
I'm not too bothered about getting a piece of paper at the end of it, but I realise that proven IT security knowledge can be a boon in todays workplace although my employer doesn't really think much of certifications as a whole.
I'm familiar with the basics (usernames/passwords, group policies, ACL's, security templates, renaming administrator and guest accounts etc) so it needn't cover those, but more intermediate to high level suggestions would be most welcome.
The platforms that I need to cover are:
Windows 2000 and Windows 2003 (standalone hosts) with applications using a mix of SQL Server 7, SQL Server 2000 and MySQL 5 database servers with IIS 5 and 6 web servers.
I may be able to get SQL Server 7 boxes out of production use by the end of this year, but this is not yet a given.
Basic precautions such as keeping the servers up to date with vendor operating system and application patches and service packs, strong administrator level passwords, disabled guest account etc are applied on all hosts as are daily automated full backups of databases and system state data with weekly full system backups to another host and offsite.
A couple of the applications that need to be made publicly accessible are home grown, developed by people without reasonable knowledge of IT security requirements, thinking that it was alright for internal use only without consideration of my employer's requirements as a whole.
These are of far more concern to me than than the commercial applications.
Regards,
John
Currently they are accessible only within the boundaries of my employer's network, but in preparation for the web servers to be made world accessible, I realise that I'm going to have to be a lot stricter on system security and related areas (auditing, policies, locking down service accounts etc) than they are at the moment.
I'm looking for recommendations on books, online training material relating to IT security concepts and theory, best practise with the platforms detailed below and knowledge of certificates and other general security techniques applicable in my situation, useful web links etc.
I've looked into the security certifications available - in my case the Security+ and/or Microsoft 70-299 courses/exams look applicable, but what do people think about these in my circumstances?
I'm not too bothered about getting a piece of paper at the end of it, but I realise that proven IT security knowledge can be a boon in todays workplace although my employer doesn't really think much of certifications as a whole.
I'm familiar with the basics (usernames/passwords, group policies, ACL's, security templates, renaming administrator and guest accounts etc) so it needn't cover those, but more intermediate to high level suggestions would be most welcome.
The platforms that I need to cover are:
Windows 2000 and Windows 2003 (standalone hosts) with applications using a mix of SQL Server 7, SQL Server 2000 and MySQL 5 database servers with IIS 5 and 6 web servers.
I may be able to get SQL Server 7 boxes out of production use by the end of this year, but this is not yet a given.
Basic precautions such as keeping the servers up to date with vendor operating system and application patches and service packs, strong administrator level passwords, disabled guest account etc are applied on all hosts as are daily automated full backups of databases and system state data with weekly full system backups to another host and offsite.
A couple of the applications that need to be made publicly accessible are home grown, developed by people without reasonable knowledge of IT security requirements, thinking that it was alright for internal use only without consideration of my employer's requirements as a whole.
These are of far more concern to me than than the commercial applications.
Regards,
John
