Disabling services to secure your Web and database servers
What services should I turn off/disable on my Web server and database server? My Web server is a Windows 2000 Server running IIS and ColdFusion, I connect to it frequently via FTP to upload and download files and Terminal Server for remote administration. My DB server is also a Windows 2000 Server with MS SQL Server and Access databases and connects to my Web server via an internal network link and has no public outside access with the exception of FTP and Terminal Server access for me. Your recommendations are greatly appreciated.
Step one is to immediately upgrade to Windows Server 2003 on your public-facing web server. IIS on Windows 2000 Server (i.e., IIS version 5) is as secure as swiss cheese and you will be hacked sooner or later if you haven't already been. Once you've upgraded to Windows Server 2003, check out one of my SearchWindowsSecurity.com tips on locking down services on WS2003 machines.
Do you have comments on this Ask the Expert Q&A? Let us know.
This was first published in December 2005