You may want to remove some of the more curious users's tendancies by hiding the folders they shouldn't be poking around in the first place. 


Have a look at this:

http://www.windowsnetworking.com/articles_tutorials/Implementing-Access-Based-Enumeration-Windows-Server-2003.html

There are zero reported IIS 6, which is a good thing 

Run a good, updated anti virus, patch the server regularly and make sure you run everything with the least privileges possible on the web site. DOn't forget to lock down the server!

Here's Ms guides to IIS 6 security and best practices:
http://technet2.microsoft.com/windowsserver/en/technologies/featured/iis/default.mspx


Have fun here. 

Hello Spyder,

Negrita pretty much covered everything, but here a couple of other thoughts.

Build yourself a test lab and practice. There are plenty of excellent on line guides and demos to build you skills and experience. Once you get an idea of where you strengths and weakness lie, then you can work on certification in those areas.

Remember, certs get you into an interview, experience helps get the job ;-)

This might be helpful:

http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,1497.0/

Both SANS and NIST have good policy templates to start with. Have a llok through those and tweak them for your own needs:

http://www.sans.org/resources/policies/?ref=3731
http://csrc.nist.gov/

"Ten Things Your IT Department Won't Tell You" should be rename "How to get Fired Real Quick for breaking policy!"

There's been a lot of chatter on various mailing lists and forums, so I thought to share the joy ;-)

Read it and weep:

http://online.wsj.com/article/SB118539543272477927.html?mod=fpa_mostpop

I'm still quite amazed they haven't followed up with "How to the steal the Boss' car" or "De-Fraud your Company - 10 ways how not to get caught!"

I'm not too sure smart bad guys will use this.

With hundreds of thousands of open WAP's kicking around why go to one where smarter people might be watching and prepare to do something about it?
Wouldn't you go from the linksys/netgear one the family down the street has just plugged in and left open?

If you have some hard core volunteers driving this, the community could effectively enforce good behaviour or capture data on those that break the rules.

Bad guys will always be around, but as long as there are people prepared to step up and find ways to track them down, they'll stay a minority.
Security, technology and people will adapt to rise to the new challanges.

That's where places like EH-net help the next gen become part of the security effort.

But personally, security worries aside, I think this is an amazing step forward in a free, connected world for everyone and anyone.

With efforts like a laptop for every child, getting more people on the 'net is critical to provide level playing field for everyone, anywhere in the world.

The Course : http://www.sans.org/training/description.php?tid=243&portal=aac39eb42ef37be50c05d08e7ec797d3

Quick background - I come from a network background and spending a good deal of time hardening and protecting systems from their user and sometimes bad guys.
I wouldn't rate my attacker skills past a very limited script kiddie on a good day. :-)
The companies I've worked for engaged pen testers to find the holes, then I work with them to understand and fix those holes.

I had the chance to attend a SANS conference as a volunteer, http://www.sans.org/training/volunteer.php - so jumped at the opportunity to see life from the other side of the fence.

I won't go in to what happens as one of the volunteer, it’s great fun but long hours!

The course is 6 days in length. Five days of labs and lectures followed by day six, the hacking challenge (more on this later) Starting at 9am and finishing around 5pm, with breaks and lunch,

The class was just under 30 people of all backgrounds. We had military, government, education, law enforcement, a number of fortune 500 and a mix of random folks. Ages ranged from early 20's up to people who'd work with Vax systems when they were new and shiny - obviously in their late 100's :-)

We got a book for each day, a couple of cheat sheets and a CD containing a VMware image of a pre-built Linux system, load with tools for the coming practicals.

Our instructor was Mike Poor, a good friend of and works with, Ed Skoudis, the course author.  I'd been in Mike's phenomenal Intrusion detection SANS class the year before, so knew I was in for a crammed 6 days. He covers not only the course work, but real world events he actually worked on and interacts with the class to get the best of their experiences too.
Mike loves to run demo, so you spend a great dealt of the time watching him perform the slides, rather than talk through them. I found watching someone else go through the process first, made it easier to attempt it later on myself. 

The first days is all about the basic of Incident handling. Making sure you have the backing plans, knowledge and tools ready to deal with incidents in the IT field. It the “talked at” day as it cover a wide breadth of information ranging from dealing with the law to what you should have in you incident response bat utility belt.
I could see a number of the class twitching to get on the “good stuff” but I like having a plan before playing with fire. It saves getting burnt too badly  The evening held an intro to VMware and linux for us poor un-enlighten windows types

Days two to five plunged in to hacking tools and techniques and kept going. From the seemingly shallow water of Google hacking and Netcat, into the colourful Windows exploits, Linux privilege escalation, versatile Metasploit, crashing in the murky deeps of buffer overflows and Format String Attacks.
Mike used the books as reference point, but took us off exploring and experimenting with the tools against our own systems and with Linux system vmware image.

Despite the different skill sets, backgrounds and knowledge of everyone in the class managed to keep up and get to the end of day five in almost one piece mentally.

Day six is THE day where you get to throw everything you’ve learnt at a special network. The class was broken in to small teams and given the permission to attack it! You can use all the tools, tricks and cheats at your disposal in any effort to be the first team to crack all the arrayed systems.
It’s a pretty crazy day, with all sort hacking madness and the odd practical joke on a rival team.

I hugely enjoyed the six days, felt I learnt a lot and meet some great people. The knowledge acquired makes me a better defender as I can see how the other side may come at me.
I still wouldn’t class myself as a skilled attacker, but could be mildy dangerous if backed in to a corner ;-)

Pros
* SANS is a known, respected security educator
* Six solid days of focused learning, being taught by someone with a passion of the subject and plenty of real world experience to boot
* The instructor - All the SANS instructors are very approachable, down to earth and really know their stuff.
* The classmates – It’s great to meet peers, swap stories and hangout with like minded people. I picked up some great tips and ideas from
*Plenty of tools –
  Lots of books, one for each day – The books are full of walkthroughs exercises so easy to review during and after the event.
  CD with the Linux image load full of tools to provide a safe test zone,
  MP3 files of the six days to help retain the information.
* Day Six – a world of pain and mayhem
* The exam is getting more solid recognition from employers in the security fields

Cons
* Cost – it’s a big bunch of money, plus travel and accomodation
* Six days doesn’t seems long enough to learn that much information
* Taking the exam is extra expense

Don, my vote is to remove this. It's well out of the ethical boundaries

Is it just me or is this thread reminiscent of the dead parrot sketch?
“But it a dead parrot!” “Not it not, it's just resting…”  http://www.youtube.com/watch?v=2H6DSoqZz_s

Once a dead parrot, always a dead parrot. 

Jim,

You'll have to wait to Windows 2008 core for a true remote command line. Or so I'm told and I believe everything for the MS marketing machine :-)

The closest I could get you natively is a telnet session by turning on the telnet server service. 
Mind you, the amount of times I saw netcat on some systems, I though it WAS part of the OS   

@ boney,

Thanks for the comments. I'm more from the defending side, so it's worth check out ChrisG and Slim Jim's comments in the forums about pen testing

Again these are just my take -
Practice does make perfect, but you have to have permission and written permission (which you have a copy of!) before you even think about testing someone else network defenses.

One of my previous roles was at a university.
A number of the student body though it was okay to try hacking with the new tools or skills they had.
Some of them got in and "beat" our defenses.  Some times they go too far and mess up an important system through poor understanding for what they were doing or just plain ol' being nasty.
My boss would shrug, send me off to rebuild the comprised system and then have the offending hacker dismissed from campus. 
We weren't designed to be a locked down zone, but we recorded everything, as per campus guidelines which everyone signed. Having records made it easy to track and sack the would be hacker.
In the US, if you are seen to cause more than $5000 worth of damage, then the FBI can be called in.
I've seen NMAP/Nesus scans on the wrong setting effectively DOS a system offline. If that's a company web server, which they get revenue from, they can claim a hacker has caused tens of thousands worth of damage. Oops.
I've never like the though of crossing the law, hence sitting on the defense line ;-)

If you want to practice against other systems, get a friend to knock up a virtual lab and then get his permissions to test his defenses. You'll both get excellent experience and not need to worry who's knocking on your door :-)

Useful trick of the day

Netsh seems to be one of those built in Windows tools that have slipped under the radar. Works from Windows 2000 and up.

I got in to a conversation one of our Linux’s team. She was complaining that it sucked having to use the Windows GUI to set her IP details on her laptop.

When I told her that wasn’t true, she looked a bit freaked.

Open up a command prompt windows and type in Netsh interface ip dump
You’ll get this type of output if you have a static ip address:

# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Earth"

set address name="Earth" source=static addr = 192.168.1.50 mask=255.255.255.0
set address name="Earth" gateway=192.168.1.1 gwmetric=1
set dns name="Earth" source= static addr = 192.168.1.50 register=PRIMARY


popd
# End of interface IP configuration


Now use this command to dump it to a text file
Netsh interface ip dump > c:\office.txt
You can edit this file to you heart’s content for multiple static and dhcp settings.

So you’ve created a bunch of different files for the office (office.txt), home (home.txt), wireless (wireless.txt) etc

Using the command: netsh -c "interface ip" -f C:\Working\office.txt
It imports the details back in to windows without having to open a single window.

I think I shattered some of those her illusions that Windows is only a GUI.

Okay, so that is fairly useful and a darn sight faster than  going through windows.

For those who want to do this to remote machines:
netsh -c "interface ip" –r remotecomputername dump > c:\office.txt for a copy of it’s entire ip configuration to a local file.

Drop that in to a script, after using something like angryip for a complete network scan of ip addresses. You got a very detailed, documented & well mapped picture without much effort.

Now that’s very useful!

Netsh can do a lot of things so a little more reading:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/netsh.mspx?mfr=true

ChrisG sums up the reasons to attend SecCons very well, but I'm not sure about the direction Don's piece takes.

I enjoy reading Don’s articles; the piece is very practically focused, but doesn’t place much faith for either the attendee or their boss.
Having the return of investment in immediate terms from a security conference is a great management deliverable.
In English: Your boss sends you to the course, losing you for that amount of time plus spending a big wad of money on the entrance fee. He expects back something useful which makes his life easier in someway.

It's fun and challenging pushing myself by learning different topics and areas, but if I want to go other conference, they have to be of value to me and my employer.

If you are lucky enough to get sent to get to pick the conferences, would you waste it on fields that have only a slight bearing on your interests?
My question is how could you explain that going to talk Oracle programming issues if you’re a Windows Systems Admin working a pure Ms environment and no Oracle systems in sight?

I like the idea that some security cons should be more hands on but a lot of that level of training is now on line or for the same money as some of the cons, I can go to actual training. Training which would be directly relevant to that skill requirement.

If security conferences are the new company funded junket, then I'd like to work for one of those companies with the money to burn! :-)

Ran across a few ways to earn those 120 CPE needed I'd though worth sharing:

Listening to security Pod casts:
http://didierstevens.wordpress.com/2007/01/22/listening-to-security-podcasts-earns-isc%c2%b2-cpe-credits/

Webcasts:
1 CPE per webcast
http://www.sans.org/webcasts/

Conferences
CISSPs earn 1 CPE credit for each hour of attendance at a conference. Security conferences qualify as Group “A” CPEs. Other educational conferences qualify as Group “B” CPEs.

Participating in security forum actively - 1 CPE per hour spent being part of the community

All official and above board :-) From the horse mouth -
https://www.isc2.org/download/CISSP%20Recertification%20Guidelines.pdf

My disclaimer was best world case for law enforcement and that they might not be able to prove you up to no good - this time 


Any of the Cisco and many of the high end home router do have the option of logging traffic. You mentioned shift high bandwidth constantly, so  cheap best buy router wouldn't give you the performance 24/7 you'd want, hence a higher end router.

The Arp and netstat commands on the pc would show that you made  connection to the other machine, plus it's details (ip, mac and ports connected) and reg keys would display how many times you used putty, which puts you in the "he's up to something" box.

Examining putty's details would also give up the ip address and that you use ssh/telnet to this other local box. Local by the fact it's on the same LAN.

Your good with reasonable doubt, unless they get their hands next door's file server and check that. An ARP dump give them your MAC, the server remote connection logs (telnet and ssh both keep logs) and it's time to visit with Paris Hilton.

A smart bad guy can do lots of things to hid his trails, but it you do thrown in the ethernet cable, I'd guess they would request another warrant at the scene once they work out the where it goes. Since it's Ethernet is only 100m, and a good old line detector will get them in the right direction.

Wireless would be a better option for you as the cable would directly implicate you of having knowledge and granting permission to the guy next door to use your system. It's your problem if he's doing bad things with your connection.

Again, I'm not a lawyer, nor have any ambition to be one 

Listening to the Cyberspeak podcast, they report on bad guys getting caught by making silly mistakes and now being able to get detailed records from ISP's without the hassle. I'd drop them a line and see what they make of this.

Had a good laugh at this and though it worth sharing:

http://www.youtube.com/watch?v=z4vDClhnJjs

This is work friendly, as long as they don't block youtube.com