Security

A good start would be to use a Linux distribution with Apache web server. I use and recommend Debian. It's updated regularly, and usually has the latest security patches that can be automatically updated using dselect.

In addition, you want to limit the ports that are available to the outside world. Only have ports you absolutely need running, for example port 80 for http, and 443 for https. I would also recommend using SSH verses ftp or telnet to maintain your site, since SSH provides encryption.

The Linux kernel can also be compiled with firewalling options. You can run it on the same server that your web site is running on, but it's generally better to have a seperate system that serves as a firewall.

The Linux with Apache is a good suggestion if you have people who are good with Linux. Otherwise stick to IIS4... I know its not the most secure but it can be locked down quite well. An ideal solution would be to stick it behind a firewall but if you can't be sure to disable all ports except the ones you really need. Unbind protocols that are not needed and so on. If you are going for an NT option check out the NSA Windows NT Security Guidelines. This will help you secure the box to a high level. If you want specific information mail me...

Even though NT with IIS is one of the hardest to secure, if you'd prefer to run IIS for ease of use, here's a good tip for locking down the system: Disable the "Server" and "Workstation" services on the web server, or unbind the NetBIOS Interface from the network adapter. This disables remote communication and control using the standard Microsoft methods, including drive sharing. Thus, the only way someone could get into the system is through a weakness in the ASP scripting or permissions. (Note that you'd have to update the pages by FTP after this procedure!)

Setting up a firewall

The platform you select will most likely be chosen because of:

1 - familiarity ... Unix people WON'T choose Microsoft
2 - easy to support ... Microsoft people WON'T choose Unix
3 - cost ... Linux/Apache people! Please don't tease the others! But don't forget soft costs, such as training and support.
4 - application/tools ... Perl, Java, Apache can be done on NT, but thrive in a Unix world
5 - security ... I just threw this one in because it is NEVER fournd in this list. The previous 4 reasons always seem to count over security.

Security is never an absolute - so www.cert.org and www.sans.org should be in your "autofetch" browser favourites.

paul johnston
opinions expressed are my own, but I'm willing to share