> For what it's worth, does anyone have a really thorough
> checklist and "how to" for tuning and securing IIS 5?
Yes. Microsoft does (at least for securing - tuning is covered in the IIS
Resource Kit).
Secure Internet Information Services 5 Checklist:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutio
ns/security/tools/iis5chk.asp
Microsoft Internet Information Server 4.0 Security Checklist:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutio
ns/security/tools/iischk.asp
Microsoft Technet Security:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutio
ns/security/default.asp
You might also find the SecurityFocus IIS 4 guide useful:
http://www.securityfocus.com/focus/microsoft/iis/iissecure.html
In addition to securing IIS itself, you'll also want to secure the base OS
first. Doing this will actually prevent many common IIS attacks from
succeeding even if you don't configure it properly! There are plenty of
checklists for OS security.
Trusted Systems - Windows NT Security Guide:
http://www.trustedsystems.com/tss_nsa_guide.htm
NSA - Windows 2000 Security Guides:
http://nsa1.www.conxion.com/win2k/index.html
Finally, there are scads of books. My favorite is Stefan Norberg's "Securing
Windows NT/2000 Servers for the Internet", from O'Reilly:
http://www.oreilly.com/catalog/securwinserv/
Enjoy!
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
