Create a bastion host IIS machine
Recent Code Red attacks on hundreds of thousands of Windows 2000– and Windows NT–based Web servers show that building bastion hosts is still something that only rich companies can afford. I show you how you can have the same level of security on your Web server without spending big bucks on firewalls and security consultants. Here's a step-by-step guide for building a bastion host Web server.
Install a Clean Copy of Win2K Server
I recommend installing a clean copy of Win2K Server by booting up from the setup CD-ROM, while installing the new OS onto a clean server. (Before you reformat the hard disk, make sure that you back up all important files from your old server.) If you upgrade from NT Server rather than perform a clean Win2K installation, many steps are the same. However, be aware that NT files can make your server more vulnerable.
If your server has just one hard disk, I recommend that you partition it. Ordinarily, I use one partition (e.g., C) as a system disk to hold all system files and another partition (e.g., D) to hold all Web content. You can create additional partitions to hold different kind of files (e.g., scripts, static content). Partitioning adds one more level of security to your Web server. Even if intruders access a disk that contains Web content, they must still break into the system partition to gain access. (Of course, all partitions should be NTFS. FAT and FAT32 partitions are absolutely insecure.) Unfortunately, Win2K setup doesn't let you choose the directory for Microsoft Internet Information Services (IIS) 5.0. Thus, moving the Web server's content and binaries away from the system files to another partition isn't easy. I suggest that you make your Web server a standalone server. If you add the Web server to your domain, you risk giving intruders access to your entire network. . . .
Register
