Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Security training material and advice 1

Status
Not open for further replies.

jrbarnett

Programmer
Jul 20, 2001
9,645
GB
I have recently become aware that the web servers on some of the systems I run will have to be made world accessible within the next few months or so.

Currently they are accessible only within the boundaries of my employer's network, but in preparation for the web servers to be made world accessible, I realise that I'm going to have to be a lot stricter on system security and related areas (auditing, policies, locking down service accounts etc) than they are at the moment.

I'm looking for recommendations on books, online training material relating to IT security concepts and theory, best practise with the platforms detailed below and knowledge of certificates and other general security techniques applicable in my situation, useful web links etc.
I've looked into the security certifications available - in my case the Security+ and/or Microsoft 70-299 courses/exams look applicable, but what do people think about these in my circumstances?
I'm not too bothered about getting a piece of paper at the end of it, but I realise that proven IT security knowledge can be a boon in todays workplace although my employer doesn't really think much of certifications as a whole.

I'm familiar with the basics (usernames/passwords, group policies, ACL's, security templates, renaming administrator and guest accounts etc) so it needn't cover those, but more intermediate to high level suggestions would be most welcome.

The platforms that I need to cover are:
Windows 2000 and Windows 2003 (standalone hosts) with applications using a mix of SQL Server 7, SQL Server 2000 and MySQL 5 database servers with IIS 5 and 6 web servers.
I may be able to get SQL Server 7 boxes out of production use by the end of this year, but this is not yet a given.

Basic precautions such as keeping the servers up to date with vendor operating system and application patches and service packs, strong administrator level passwords, disabled guest account etc are applied on all hosts as are daily automated full backups of databases and system state data with weekly full system backups to another host and offsite.

A couple of the applications that need to be made publicly accessible are home grown, developed by people without reasonable knowledge of IT security requirements, thinking that it was alright for internal use only without consideration of my employer's requirements as a whole.
These are of far more concern to me than than the commercial applications.

Regards,

John
 
My research so far has uncovered the following items, which I thought other readers may be interested in:

Software:

SQL Server 2000 Best Practises Analyser:

IIS Lockdown Tool 2.1

Book:
The Database Hackers Handbook: Defending Database Servers
(note - if you have responsibility for any database servers, this book is worth its weight in gold and deserves a place on your office bookshelf).

Article:
MySQL Best Practice:

John
 
Security+ is a foundatation course, but it's actually very good in terms of best practice advice.

A lot of it is common sense. Windows SCAT is good, (never used it on Win2k but it's great on Win2k3)

Items like a good AV, a host and network based IDS would be recommended, budget permitting as well as a enterprise grade firewall. (If your on a budget then any will do, but SPI should be a basic requirement)

Disable any non-reqired services, enable auditing etc.

If your thinking about security then your 2/3rds the way there.

Good Luck,




Steve.

"They have the internet on computers now!" - Homer Simpson
 
Steve,

I've been thinking very hard about this, and have been investigating solutions over the last few weeks. I know you're right, I'd come to the same conclusions myself.
I've got a solution for one of the affected applications, but there's another one that I still have to resolve several issues with before I'm happy to go live to the outside world. Until then, the firewall ports stay well and firmly closed.

John
 
I've no idea how I missed in my initial research but let me remedy that now.

Its a goldmine for ideas and practical advice plus scripts on how to secure Microsoft SQL Server database servers.

John
 
I have been compiling a list of security related links, you can find it at faq1117-5192. If you find any additional ones let me know and I will add them to the FAQ.
 
I too have been considering furthering my education by taking the SANS Security 401 ON Demand course. Has anyone any input on the quality of this home study course? It's a $3000 course so I would like some feedback before I spend my money. Thanks Tom
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top