Putting Your Web Servers Under Lock and Key

Before overreacting, however, it’s important to separate fact from fiction. Despite fears of cyberterrorism, such threats have not yet materialized. I asked a number of experts whether they believed there was any connection between the attacks of Sept. 11 and the virulent Nimda and Code Red II computer worms, which appeared in the week following the attacks. The consensus: These viruses owed their timing more to coincidence than to terrorism.

According to CERT, the computer-security tracking organization based at Carnegie Mellon University, the number of security breaches hasn’t risen appreciably since Sept. 11. “Are we more conscious of what we’re looking at? Yes. That’s just good common sense,” says Marty Lindner, an Internet security analyst at CERT. “But we haven’t seen any increase in activity.”

Still, however, the events of the past month should persuade some companies to take advantage of this opportunity and ensure that their systems are safe. Here’s a brief rundown of what security experts recommend right now.

Use Microsoft servers with care. Both Nimda and Code Red II took advantage of weaknesses in the design of Microsoft’s Internet Information Server (IIS), the popular Web server that’s part of Windows 2000. That led John Pescatore, research director for Internet security at Gartner, to conclude that companies using IIS had better take a long, hard look at their systems.

It’s not that IIS is fundamentally insecure, Pescatore says, but that corporations using it don’t always take the steps necessary to lock it down. The problem is compounded by the fact that companies often choose Microsoft because it’s easy to expand their server farms by plugging in cheap Windows servers. The result: While a Unix shop might have only one or two big servers to secure, Microsoft-based outfits often have dozens of Windows servers, all of which need to be secured separately. Fortunately, doing so is a relatively simple matter: Network administrators need to adjust security settings on each server, and also download and install the latest security patches from Microsoft. The trick is making sure every server gets this treatment — which is a work process issue more than a technical problem.

Microsoft announced plans last week to change the default configuration of IIS so that it’s more secure. In the meantime, Pescatore says, “if you’re going to stay on IIS, then you have to improve your security processes.” And if you can’t do that, then you’d better switch to a different server.

Turn off unused services. If your servers have features that you aren’t using, they may be providing an entry point into your network — even if you have a secure firewall. Play it safe and turn off any server features or services you aren’t using, such as Windows file sharing, support for CGI programs, built-in server or network monitoring tools, and the like. Here again, Microsoft users need to watch out. CERT’s Lindner points out that IIS is included in every installation of Windows 2000. As a result, he says, “there’s a lot of IIS out there that people don’t even know they’re running.” If you’re running Windows 2000 and you haven’t turned off or secured IIS, you may be leaving the backdoor wide open to hackers.

Use virus software and keep it up-to-date. One thing that security experts agree on is that virus software can be effective — for corporate servers as well as desktop computers. The key is to make sure you keep your virus scanner updated with patches from the vendor, which will ensure that it can screen out the newest viruses. Leading vendors of antivirus software for servers and desktop computers include Network Associates, Symantec, Trend Micro, and F-Secure. Most offer automatic updates or notification services to help you keep on top of the latest viral threats.

Require users to choose strong passwords. All your security measures are for naught if one of your employees chooses an easy-to-guess computer password, or if your system has user accounts that don’t require passwords at all. For safety’s sake, eliminate any accounts that have no passwords or that have obvious passwords (such as the word “password” or the user’s login name). Then require employees to use sophisticated passwords (including numerals as well as letters) and change them every month.

Stay on top of the latest threats. Last week the FBI’s National Infrastructure Protection Center and the Systems Administration, Networking and Security (SANS) Institute released a list of the top 20 threats to Internet security. The list addresses threats to Unix and Windows servers as well as general Internet security hazards. It should be required reading for your company’s network administrators.

Implementing better security doesn’t have to be expensive — in many cases it’s simply a matter of changing software settings to eliminate common vulnerabilities. Make it a priority now, before those deficiencies turn into security breaches.