Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

Featuring 20 papers as of Jan 8, 2009

A Reverse Proxy Is A Proxy By Any Other Name

By: Art Stricek (posted on January 18, 2007)

This paper will cover the concept of a Reverse Proxy by defining what it is and how it differs from a forward proxy. We will cover the benefits and drawbacks of using this technology as a part of our network infrastructure, along with the security advantages and possible risks.

Secure Session Management: Preventing Security Voids in Web Applications

By: Luke Murphey (posted on May 5, 2005)

Internet users all over the world are using web-based systems to manage important data for them such as bank account and healthcare information. Users assume that these systems are securely designed but many web applications have severe security flaws that allow simple attacks to succeed.

Securing an IIS Web Server Using Novell’s iChain

By: Jeff Hermans (posted on May 5, 2005)

Web servers are open to many threats just by the nature of their exposure to the Internet. Although the inherent security built into web server products is improving, adding unique layers to the security design proves to be successful in almost any implementation.

A Guide to Discovering Web Application Insecurities, Before Attackers Do

By: Don Williams (posted on March 9, 2005)

It is all over the news: web based attacks are climbing, month over month, year over year. At the same time companies are attempting to combat such attacks, attackers are devising new methods to infiltrate systems. In the event you were on a reality show for the last few years and missed the latest news, just take a glance at these alarming statistic

Authentication and Session Management on the Web

By: Paul Johnston (posted on January 28, 2005)

This paper discusses how these requirements are met, primarily looking at how users are authenticated and login sessions maintained. We start by looking at the existing security measures for the basic website. Then we look at the various options for authenticating users in general, concluding that passwords are the only viable option.

Domino Web Server

By: Karen Zwolski (posted on May 2, 2004)

Lotus Notes/Domino is a widely used group collaboration and messaging platform originally designed to work in a client-server architecture using proprietary protocols. The client is known as Notes, and the server is known as Domino.

Web Authentication Security

By: Donna Selman (posted on November 6, 2003)

This document discusses several web authentication security techniques: Digest Authentication, Database Authentication, Anonymous Authentication, and N-Tier Authentication, used to provide web browser clients access to the file systems on their host computers.

Security Elements of IIS 6.0

By: Anthony DeVoto (posted on November 5, 2003)

This discussion will focus on the security elements of IIS 6.0 as well as the security improvements made to those elements in this release.

Securing IIS within an Outook Web Access 2000 environment

By: Dave Munger (posted on October 31, 2003)

The purpose of this document is to show you how to harden the security on the Internet Information Service 5.0 (IIS 5.0) on a Windows 2000 server where OWA is running.

Security Strengths and Weaknesses of Two Popular Web Servers

By: Brad Bell (posted on October 31, 2003)

This paper examines the security strengths and weaknesses of two web servers, Apache and Microsoft's Internet Information Server.

Securing Microsoft's Internet Information Server 5.0

By: Ben White (posted on October 31, 2003)

This paper will provide IIS administrators with the steps to secure their web server installations.

Proactively Guarding Against Unknown Web Server Attacks

By: William Geiger (posted on October 31, 2003)

The premise of this paper is to review various ways of protecting web servers from unknown attacks over port 80. The author examines the technology, explains why it is effective, and identifies areas where further diligence is required.

Understanding IIS Vulnerabilities - Fix Them!

By: Nor Azuwa Pahri (posted on October 31, 2003)

This paper examnes the vulnerabilities of Internet Information Server/Service (IIS).

Securing a Windows 2000 IIS Web Server - Lessons Learned

By: Harpal Parmar (posted on October 31, 2003)

This paper offers detail on some of the quirks to watch for while securing an IIS server.

Using Open Source Software to Proxy, Authenticate, and Monitor User Web Habits

By: Jason D. Gregg (posted on October 31, 2003)

This paper will attempt to address what time and again is a problem for network and security administrators: monitoring user access to the Internet in an environment where blocking resources may not be ideal, cost effective, or in accordance with company policy.

Securing Microsoft Web Applications - A Guide for Systems Administrators

By: Matt Pogue (posted on October 31, 2003)

The purpose of this paper is to provide systems administrators with a high-level overview of some of the major security considerations surrounding web applications that utilize Microsoft's Internet Information Server, SQL Server and Component Object Model (COM+), as well as links to in-depth technical information that expands upon the high-level topics discussed here. The author also discusses considerations for writing secure code, implementing secure DNS services, and packet filtering/proxy configurations, and explores the need for more interaction between systems administrators and development staff during the initial planning and design phases of the development cycle.

Web Application Security, with a Focus on ColdFusion

By: Joseph Higgins (posted on October 31, 2003)

This paper examines securing two aspects of web applications (scripting language and application code) by focusing on ColdFusion (CF): default installation, two-step attacks, remote development, and security holes in the code, and input encryption, which are the major issues in most web applications.

Securing e-Commerce Web Sites

By: Ariel Pisetsky (posted on October 31, 2003)

The author explores how to build a secure e-Commerce web site.

Basic IIS 5.0 Default Web Server Security

By: Terri Carroll (posted on October 31, 2003)

Outlined in this paper are steps for securing an internet information server; such actions provided security enough to have protected many systems from the outbreak of the CodeRed worm and may have assisted in preventing spread of the Nimda worm - two of the most wide spread worms to have affected IIS systems.

Using Microsoft's IISlockdown Tool to Protect Your IIS Web Server

By: Jeff Wichman (posted on October 31, 2003)

Informational instructions on the IISlockdown tool including common exploits for IIS servers, best practices for installing the IISlockdown tool and information on tools used to test following the installation.