Today at the SharePoint Conference in Berlin, Ben Robb of cScape Ltd gave a talk about configuring internet-facing web sites running MOSS 2007/WCM.
He brought up some interesting points about securing the application against unauthorised content editing and attacks from hackers.
Make sure your installation check list contains a least the following items:
1. Enable firewalls and standard network security
Fairly standard stuff, but necessary all the same.
2. Disable SMTP and incoming mail
In essence, you shouldn't be running services on the server that aren't necessary for MOSS. Also, close any ports that MOSS doesn't need.
3. Secure the Central Administration site
Surprisingly, it is very common to leave this entry point wide open. The admin site should be accessible only via an SSL connection .
4. Use lockdown mode
Use this stsadm command to activate lockdown mode:
stsadm -o activatefeature -url <url> -filename ViewFormPagesLockdownfeature.xml
5. Restricted reader role
The anonymous user should have a restricted reader role which only enables viewing of pages, documents and images.
6. Policies
Constrain the maximum access per web application and deny all write access via http://sitename:80.
7. Content deployment
Use different servers for authoring and the actual internet-facing web application. Content generated on the authoring server (typically within the intranet) should be pushed out to the public site using scheduled content deployment jobs.
…
To many administrators the above bullets merely point out the obvious and do feel free to leave comments if you have any additions to the list.
Thanks to Ben Robb for providing 99% of the info for this post.