tags:

views:

222

answers:

2
+2  Q: 

Foundations of Network Security (IIS, SQL, RDP, etc) for a Developer

Not sure if anyone listened to Hanselminutes episodes 134 and 135, but at the end of show 135 Scott Hanselman had a lot of great advice on how to setup a baseline secure environment for a web application. As a developer, most of my time is focused on developing the application, not on the network facet of the project, however as a startup, this is still an important component, and without a security consultant, how does one achieve and properly setup the same knowledge Scott had on the subject?

I guess I'm looking for some reading (book, article, website) on the topic that would help me understand Scott's recommended approach for setting up a secure network environment to host the application. IIS, SQL Server, Firewall, updating the site without having to use 'Remote Desktop' (to avoid any RDP vulnerabilities), etc.

p.s. Jeff - nobody is faulting you for not having any money for the additional servers, we know you would if you could afford it. Don't take that 'banker' crap from Scott, that guy has been working at Microsoft for too long and forgot what it's like to be broke as a startup... hahaha.

Edit: To be clear, I'm not talking about code security, I'm talking about encrypting traffic between servers, network topology, firewalls, etc.

Edit #2: Changed topic.

+2  A: 

owasp would be a good place to start.

dove  2008-11-03 14:58:26
This contains more information about code security, and not network configuration.
Kyle B.  2008-11-03 15:01:10
+1  A: 

Since you're an ASP.NET person, you might look at the Microsoft Press book Improving Web Application Security ISBN 978-0735618428. The entire text is hosted on MSDN here. There are also dead tree versions and ebook versions available.

I would in particular point out these chapters:

Chapter 5: Architecture and Design Review For Security

Chapter 15: Securing Your Network

Chapter 16: Securing Your Web Server

Chapter 17: Securing Your Application Server

Chapter 18: Securing Your Database Server

Admittedly its a bit out of date (.NET 1.1, IIS 5.0, SQL Server 2000) but the basic principles are there.

Tim Farley  2008-11-03 18:48:58
This is an excellent answer. Thank you for posting this, not sure why I had missed it originally. Perhaps I didn't wait long enough for a response. Thanks!!!
Kyle B.  2008-12-23 18:54:11

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?