Found on another web site http://www.liquidinfo.net/links/

Links - Resources\Guides

iis lockdown and urlscan http://www.securityfocus.com/infocus/1755

This explains pretty well how to install these two on a windows-box, providing good information about best practices for IIS. URLScan is useful when the URLs for the website is mostly easy, thus very dynamic sites could deny themselves.

hackproofing ibm db2 http://www.appsecinc.com/presentatio...ng_IBM_DB2.pdf

This presentation gives you an overview of the security-measures you have to take to make your IBM DB2 installation more secure.

sql tutorial http://www.w3schools.com/sql/default.asp

This is a nice online SQL tutorial, that can be useful for web-app testers, as the syntax for SQL is a bit hard to remember if you don't use it daily. The site also hosts lots of other www-related tutorials, and is worth checking out.

www.isecom.org

It has created OSSTMM (OpenSource Security Testing Methodology Manual) and SPSMM (Secure Programming Standards Methodology Manual) and other resources. It has a very good tool-list that fits a security specialist's toolbox. Worth checking out. The site offers also training & certification.

www.linuxsecurity.com

On this site you will find lots of information about securing Linux for many different roles, web-server, firewall and so on. Overally this site should be one-stop place for your needs when securing Linux. It also keeps up with the newest tools and offers advisories about various issues.

www.cisecurity.org

CIS provides methods and tools to improve, measure, monitor, and compare the security status of your Internet-connected systems and appliances, plus those of your business partners. It has nice guidelines & benchmarks that you can utilize to check that your system meets the best practices.

www.sqlsecurity.com

SQL-security focuses on MS SQL database security. It has a very good checklist for securing your database. The site also hosts some useful scripts that you can use to assess your SQL-servers. The MS SQL server is very flexible database and there is lots of stuff that you probably do not need enabled. This site will help you tune it thighter.

www.owasp.org

The Open Web Application Security Project (OWASP) is developing software tools and knowledge based documentation that helps people secure web applications and web services. They have a TOP-10 list of most common web-application programming mistakes and a great guide. The site also digs in to various attack methodologies and how to prevent these from happening.

it baseline protection manual http://www.bsi.bund.de/gshb/english/etc/index.htm

This is a manual that digs in into lots of security policies. Worth checking out if you're planning security policies for your company. The manual is really huge and touches lots of surfaces that you probably have never thought of. Check it out.

www.markusjansson.com

This site is specialized on privacy & Windows-security for home users. If you feel like you don't want to be that friendly neighbourhood hacker again, point your friend to this site. A word of warning thought. These pages have quite some paranoia included. Page is available in english & finnish.

nsa hardening guides http://nsa1.www.conxion.com/index.html

NSA has released security guides for NT, W2K, XP & Cisco. The configurations they suggest are pretty anal, so if you need some heavy security, these guides are something to look at. A word of warning, thought. Implementing some features might break your application, so test the settings in a quality assurance environment first.

bigadmin portal http://www.sun.com/bigadmin/

The BigAdmin portal SUN has, is focusing on Solaris security. They have FAQs, How-To's, discussion areas, ready-made scripts, additional resource and lots more. Worth checking out if you're managing Solaris boxes. From here you also know of latest vulnerabilities discovered in Solaris + the patches.

microsoft technet security http://www.microsoft.com/technet/tre...ty/default.asp

Microsoft has a security-area in the Technet-section of it's site. Here you can find howto-guides & checklist for various stuff, latest hotfixes & servicepacks. You also find a good tool called hfnetcheck that can be used for determining if some patches are missing. Check it out, there is lots of info how to secure those windows-boxes.

networking guide http://www.comptechdoc.org/independe...working/guide/

This site holds an excellent guide to networking. It basically covers the network topologies, protocols, hardware, routing, addressing and lots more. A very good network resource, that gets you in the loop in no time There is more out on the web, but I see this as a good starting point.

cert's best practices http://www.cert.org/security-improvement/

CERT has made a page that has best practices listed. There is lots of information to read. It has information about securing servers, how to respond to incidents and how to setup intrusion detection capabilities and so on.

wireless security paper http://documents.iss.net/whitepapers...N_security.pdf


IIS.net has released a whitepaper about Wireless Security. This paper has good viewpoints that should be taken into consideration when you plan implementing wireless technologies into your network/office environment. If you are into wireless stuff, read this.

securing wireless security http://www.issadvisor.com/columns/Se...ssNetworks.htm

Yet another paper from ISS discussing about wireless security, giving viewpoints about security-implications. In my opinion this definitely gives good viewpoints that has to be taken into consideration before implementing any kind of wireless network in your facilities.

openbsd packet filtering guide https://solarflux.org/pf/

A very nice resource for OpenBSD's packet filter. There is lots of example-rules and explanations of the inner workings of PF. A recommended site if you use OpenBSD as your firewall.

securing mysql step-by-step http://www.securityfocus.com/infocus/1726

This is a quite good guide to securing an installation of MySQL, dealing with chrooting the daemon, dealing with default accounts, and other "hardening" that should be done.