Matt Powell
Microsoft Corporation
September 19, 2001
In the previous article, we discussed different types of attacks and how to configure them to avoid attacks. In this article, we will focus on how to design and develop to avoid attacks.
First, I would like to introduce two very good new tools developed by Microsoft® to maximize the security of your Web servers. IIS Lockdown Tool (English) can prevent possible attackers from accessing your Microsoft® Internet Information Server (IIS. The lock tool also provides the "advanced" option, where you can select the desired settings. The "rollback changes" option is also provided. You can select this option when you are not satisfied with the changes. Please try this tool.
Another important Tool is the Hotfix Checking Tool for IIS 5.0 ). This tool queries XML documents of all available security patches released by Microsoft (this document is continuously updated ), then compare this document with the local installation document and report the difference. This tool makes it easier to manage security patches for a single Web server or a large Web domain. Design problems
When designing Web services, you must carefully consider security issues and how to minimize the risk of attacks. Many factors that may work when trying to prevent attacks can be taken into consideration during design. For example, consider how to perform authentication or what type of errors you want to return. Determine security requirements
In the early stages of XML Web service design, you need to determine the required security level. Some XML Web services do not require authentication at all, while other services have strict requirements for users who decide to use the service. What privacy level is required for data received and sent by the XML Web service? If an XML Web service user declares that they have not requested the service specified in your record, what costs may be incurred in terms of work hours, processing capabilities, or legal fees?
First, let's take a look at identity authentication. Some types of authentication are more vulnerable to attacks than other authentication methods. At the low end, if you use "HTTP basic authentication", you can see that all users of data packets on the network can see your username and password. If you send a request over the Internet, you cannot control the users who can view your data packets. In the high-end authentication level, you can consider using an SSL client certificate for authentication. This certificate provides an encoding channel and makes it difficult for malicious attackers to attack packets. For more information about Authentication options, see the Authentication and Authorization of Mary Kirtland in the At Your Service column ).
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
