Any time you “plug” something into the internet—a web server, mail server, or your phone for the latest sport scores—you’ve opened up a hole that some malicious person (or bot) can attack. You already know this. Preventing these attacks is a constant battle.
Can you prevent all possible attacks from the internet with 100% certainty? Yes, if you don’t attach anything to the internet. That’s unreasonable, so the goal is to protect your web server (and therefore your customers) as best you can within the budget you have available.
Internet security is a vast and complicated topic, and I can’t cover it all in a single chapter. My goal in this chapter is to show you the types of attacks that may affect you and suggest a common-sense approach with hardware and software firewalls to secure your web server. You’ll implement built-in IIS features such as IP/domain restrictions to assist in the effort. I want you to have additional resources if you need to go deeper. You’re not alone in this endeavor. From the developers writing the applications, Microsoft updating and patching IIS to prevent security weaknesses, and your overall network security (firewalls), you can provide a reasonably secured environment.
So far in this book you’ve built and secured the websites for the WebBikez bike shop. Now the focus changes to securing the web server. Let’s first look at who and what is attacking you and how to prevent those attacks.