Microsoft KB Archive/311184

= How To Perform Security Planning for Internet Information Services 5.0 =

Article ID: 311184

Article Last Modified on 7/1/2004

-

APPLIES TO


 * Microsoft Internet Information Services 5.0

-



This article was previously published under Q311184



IN THIS TASK
SUMMARY
 * Assessing Security Threats
 * Security Policies

REFERENCES



SUMMARY
This article describes how to assess security threats and suggests how to implement security polices. A member of the Administrators group who is familiar with your existing network security should make recommendations about Internet Information Services (IIS) security polices.

back to the top

Assessing Security Threats
To plan the security of your Web site effectively, you must:
 * Keep pace with changes in business that might require new security measures. For example, e-commerce requires encryption of private information that is sent over the Internet.
 * Identify and assess threats to the security of your online assets. For example, if you open your corporate intranet to access by employees from their homes, their user IDs and passwords are assets that become vulnerable to the threat of exposure on the Internet.
 * Prioritize threats according to potential exposure and recovery costs. For example, if customers can purchase services from your Web site, determine which assets would be exposed and what the cost would be to secure them.

In the emerging online business environment, accurate threat assessment is vital to achieving cost-effective security for assets that are shared over the Web within your organization, as well as among your business partners and customers.

back to the top

Security Policies
Design your Web site security policies to achieve realistic goals at a reasonable cost. Although Web sites differ from one other, they share some fundamental goals involving the strength of their security, its cost, and the means of achieving a secure site. To ensure this:
 * Provide strong security that is consistent with access requirements.
 * Certify that all personnel who administer security are fully competent to enforce the security policy consistently and accurately. Make sure that all users accept their responsibility to comply with this policy.
 * Control security implementation costs that are consistent with the need for strong security. Security must scale up efficiently as sites expand.
 * Adopt technologies, standards, and practices that are adaptable to changing conditions and new developments.
 * Choose technologies that allow you to fully integrate security monitoring and management into network and user account administration. A single interface for security and administration enables you to have efficient and timely security monitoring.
 * Adopt Internet community standards for communication between your Web site and Internet destinations, including the security of communication. The adoption of Internet standards yields low-cost startup and good scalability because the standards are widely supported by your customers and business partners.

back to the top

