Law #4: If you allow a bad guy to upload programs to your website, it's not your website any more
This is basically Law #1 in reverse. In that scenario, the bad guy tricks his victim into downloading a harmful program onto his computer and running it. In this one, the bad guy uploads a harmful program to a computer and runs it himself. Although this scenario is a danger anytime you allow strangers to connect to your computer, websites are involved in the overwhelming majority of these cases. Many people who operate websites are too hospitable for their own good, and allow visitors to upload programs to the site and run them. As we've seen above, unpleasant things can happen if a bad guy's program can run on your computer.
If you run a website, you need to limit what visitors can do. You should only allow a program on your site if you wrote it yourself, or if you trust the developer who wrote it. But that may not be enough. If your website is one of several hosted on a shared server, you need to be extra careful. If a bad guy can compromise one of the other sites on the server, it's possible he could extend his control to the server itself, in which he could control all of the sites on it—including yours. If you're on a shared server, it's important to find out what the server administrator's policies are. (By the way, before opening your site to the public, make sure you've followed the security checklists for IIS 4.0 and IIS 5.0).
Boy did I know about this one in many ways... in SBS land where we had IIS 5 we got nailed by Code Red/Nimda because we didn't keep our systems up to date on patches. We had 'bad code' uploaded to our web sites because we didn't patch. Obviously IIS6.0 has been solid as a rock.
Then I personally saw it on my www.sbslinks.com site because it was a shared site and bad code meant to hijack web browsers was put on my externally hosted web site. Boy did I feel weird about that.
On SBS 2003 we actually recommend that you don't host a public web site on your server and instead just leave it for authenticated access like Remote Web Workplace. Why? Because you want to limit what visitors can do and only allow people you trust on that box. It's not that you can't do it per se...just that with external web hosting so cheap...why not reduce risk?
That brings up another concept that I need to bubble up that was discussed in the newsgroup... the person wanted to limit the port 80/443 to only OWA so that folks from public kiosk-y computers could have access. In this day and age of smart phones and relatively cheap laptops, you should NEVER let anyone log in from a device that you cannot trust. To me there is no more untrusted device than a kiosk computer.
Think trust... and only let in...what you trust.