Computing Facilities    links to the SCS and CMU home pages Carnegie Mellon School of Computer Science Carnegie Mellon University
 
Advanced search tips 
 Documentation
 » Introduction to Facilities 
 » Accounts & passwords 
 » AFS 
 » Application software 
 » AV help 
 » Backups & restores 
 » Calendaring 
 » E-mail 
 » Networking 
 » Printing 
 » Purchasing 
 » Resource management 
 » Security 
 » Software licensing 
 » Support charges 
 » Web publishing 
 » Your health 
 » Mac support 
 » Linux support 
 » Windows PC support 

Running network services on Windows

If you are running network services on Windows, including:

  • A web server such as Apache or IIS
  • MS SQL Server
  • An FTP server

or any other network services that you have installed, it is important that you keep these services up-to-date with respect to patches, and change any insecure default configurations and/or passwords that come with the software (in particular, you must change the default sa password that comes with MS SQL Server).

IIS security

If you install IIS, you must patch it before activating this service and putting it on the network. Failure to do so may result in your PC being broken into within minutes of being placed on the network. See the Microsoft IIS 5 support center for complete information on securing IIS. It is recommended that you run URLScan and the IIS Lockdown Tool to provide additional security for your web server. The IIS 5 security checklist has some additional information on steps you can take to secure IIS 5.

MS SQL Server security

Like IIS, MS SQL Server is extremely vulnerable to remote exploits if it is not patched and configured securely, and SCS hosts are constantly being scanned for these exploits. If you are running MS SQL server, you should:

  • Make sure that it is up-to-date wrt patches before activating the service and placing it on the network.
  • Make sure that all passwords (especially the sa password) are reset from the defaults and are strong passwords. SQL Servers here are frequently the target of brute-force password guessing attacks.

You can run the Microsoft Baseline Security Analyzer to check for needed patches and some common MS SQL security configuration issues. The Microsoft SQL Server Security Center and http://www.sqlsecurity.com have additional information on security SQL Server.

Other networked services

If you are running other networked services, such as Apache or an FTP server, you should regularly check the software vendor's web page or subscribe to the relevant mailing list in order to make sure that the software does not need to be patched for some recently discovered security vulnerability.