You must protect your system, not only from unwanted intrusion from Internet hackers, but also where appropriate, from internal mischief-makers. The operating system provides a number of concepts that allow you to secure your system:

• Authentication:– identifying who is accessing a resource, either by name and password controlled by the application, the operating system, or by Microsoft “Passport”. Also by restricting access by the IP address of the originator, or via client certificates.
• Authorisation:– identifying what functions he/she can perform, either by interrogation of the Active Directory, or by a system of roles and permissions maintained by the application or database.
• Data Protection:– encrypting and hiding data from public view, and the use of “digital signatures” that assure the true origin of the message and prevent unauthorised alteration of messages.
• Auditing:– monitoring and keeping records of access using the security event log, providing the forensics of security.

General Web Application Security Recommendations

• Backup often, and keep your backups physically secure.
• Secure your computer network and the servers physically.
• Keep the administrator passwords secret.
• Don’t allow users administrative privileges.
• Close unused ports and turn off unused services.
• Keep you virus checker up to date.
• Download and install the latest security patches from Microsoft and other suppliers.
• Establish and enforce a password security policy.
• Use a firewall to connect to the Internet.
• Monitor network activity and the event logs for suspicious activity.