Solved

Web strippers and server security

Posted on 2004-08-22
6
259 Views
Last Modified: 2010-08-05
I tested webstripper(www.webstripper.net) and I was able to download my own web site.
I am using IIS 5.1  on XP Pro. What is correct way to secure the web site on IIS and prevent web strippers to download entire web site. My cocern is asp sitting on the server and also Access database files.
0
Comment
Question by:webtrack123
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 33

Assisted Solution

by:shalomc
shalomc earned 90 total points
ID: 11870880
There are a couple of rules to follow that will greatly add to the security of your web site.

1: Place all backoffice critical files (that includes the database) in a separate directory tree, better yet - on a different drive.

2: configure your IIS carefully. Remove executing and scripting permissions from directories which do not contain scripts.

3: Rename all your include files to .asp extension.

4: Use NTFS ACLs. Remove all unnecessary permissions from non IIS folders.

5: Use IISLOCKDOWN and URLSCAN to secure your IIS.

6: Review all of the HTML comments for sensitive information.


These measures will not stop webstripping tools to download your site as HTML, but at least will stop any classified information from leaking out.


ShalomC
0
 
LVL 14

Expert Comment

by:alimu
ID: 11878095
In addition to comments from ShalomC, check out this link for instructions on how to configure a robots.txt file: http://support.microsoft.com/default.aspx?scid=kb;en-us;217103
http://www.webmasterworld.com/forum93/140.htm also has a link to a sample robots.txt file.

This file gives directives to web crawlers on what pages they are allowed/disallowed from searching.
Be aware that there are "friendly" robots you may want to allow (eg: google) so that your site can be advertised on search engines.
0
 
LVL 33

Expert Comment

by:shalomc
ID: 11878229
Hey,
In one hand, the robots.txt file is great in setting rules for friendly crawlers.
Non friendly crawlers, on the other hand, ignore it altogether.
On the gripping hand, the robots.txt file may disclose to unfriendlies more information than you planned for, like your entire directory structure.

So, from the security point of view, be very careful with what you put in the robots.txt file. For example, if you have a testing directory, do not put in in this file.

ShalomC
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 

Author Comment

by:webtrack123
ID: 11898701
Thank you ShalomC,
regarding your reply:

1. Done
2. Done
3. Done
4. Could you send me some link about ACLs. I am not clear what is this.
5.Also what is  IISLOCKDOWN and URLSCAN
6. Done

Just need clarification about above points 4 and 5
Referring robots I will follow your proposals.

Alimu thank you for your input.
0
 
LVL 14

Accepted Solution

by:
alimu earned 50 total points
ID: 11898879
This is a tool put out by MS called Baseline Security Analyser.  http://www.microsoft.com/technet/security/tools/mbsahome.mspx
It will give you some detailed information on your server's current state and how you can lock it down further.
Suggestions also have links to get to required hotfixes and tools (like the security toolkit that includes IISLockdown and URLScan).

With respect to the comments from ShalomC, I am not sure whether the robots configuration will stop webstripper (which can masquerade as a browser) but I have noticed there are many robots.txt files out there that contain a line denying access to webstripper so it's worth a try.  

Bear in mind that anything you put on the internet (unless secured by password or other means) is available to all.  Site crawlers such as webstripper behave - and often look - like offline browsers.  If you are concerned about the security of your information either secure it in some way or think twice about putting it out there.  
AJ.
0
 
LVL 33

Expert Comment

by:shalomc
ID: 11900011
Hey,
When I said ACLs, I meant the inherent security and permissions system built in the NTFS file system.
Since IIS runs in some context under some account, you should limit it to only what it needs to run the web site.
IISLockdown and URLSCAN can be found here
http://www.microsoft.com/windows2000/downloads/recommended/iislockdown/default.asp

Google for a lot of reference information.

ShalomC
0

Featured Post

The Ultimate Checklist to Optimize Your Website

Websites are getting bigger and complicated by the day. Video, images, custom fonts are all great for showcasing your product/service. But the price to pay in terms of reduced page load times and ultimately, decreased sales, can lead to some difficult decisions about what to cut.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a guide to setting up a new WHM/cPanel Server to be used for web hosting accounts. It is intended for web hosting company administrators and dedicated server owners. For under $99 per month (considering normal rate of Big Data Cetnters like …
Most ColdFusion developers get confused between the CFSet, Duplicate, and Structcopy methods of copying a Structure, especially which one to use when. This Article will explain the differences in the approaches with examples; therefore, after readin…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question