[trufflepig]

A client of mine are considering setting up hosting on one of their servers for a client, so that customers of theirs can log in and access their hosted system, which is basically an Oracle RDBMS with frontend, which will be sitting on either a Windows 2000 or Windows 2003 server.

The client network is a couple of 2003 domain controllers and several 2000 member servers. This is a single office with single broadband WAN connection.

I've made the usual recommendations such as ensuring servers are up to date with regards service packs and updates, checking all open ports with a tool to see if said ports need to be open, and also checking the router configuration to make sure this is secure.

I've recommended that their customers' systems are hosted on a 2003 server rather than 2000 if possible (for obvious security reasons). I've also suggested that for customer access, ew set up two levels of security- a VPN login for their customer, and a login to the customer's actual "system" / web portal. I thought this would be more secure than having a publicly accessible URL / interface.

I just need to know what other security / server-level considerations need to be discussed to make sure we have a viable solution in place.

We expect to have maybe a total of 2500 registered users within each customer system (so there may be multiple web portals set up), but unlikely to have more than 10 concurrent connections required.

Does anyone have any recommendations / ideas / items that we should be checking / verifying?

Thanks
TP