Best Practices for Accessing an Internet IIS Server?
I am setting up an ASP.NET MVC web facing application on Windows 2008. It uses SQL Server 2008 for its database. I am looking for the best methods to protect it.
I found this article but is a little out of date. How valuable is this advice still?
Some background is a personal site behind my home NAT / firewall; and I will only send ports 80 and 443. The IIS server itself is a Windows 2008 host running HyperV (I only have one physical box to spare).
One useful thing mentioned in this article (which has crossed my mind before) is that the IIS box does not have to be a member of the domain, so an attacker cannot easily get out of the box. I will remove it from the domain in a moment :)
What other tips should I (and someone deploying to a larger environment) keep in mind?
I know this is not a programming-related question (there is no source code in it!), But I guess most programmers have to go to work when it comes to deployment guidelines.
source to share
You can take a look at these two tools: Best Practice Analyzer for ASP.NET
SQL Server 2005 Best Practice Analyzer (even if you are using 2008 can still be helpful)
source to share
I don't know how to remove it from the domain, but I would of course disable LanMan hashes , keep the system fully patched, and use good password protection. Make sure all processes running in IIS are started from less privileged accounts i.e. Do not start workflows under IDs that are in local administrators.
source to share
This will be very useful, of course:
Microsoft Web Application Configuration Analyzer v2.0
source to share