Website security

Posted on 2006-05-19
Last Modified: 2010-04-11
Hi all

My company is setting up a website for users to be make financial transactions, we basically(not so basic) need to make the website bulletproof.
Any help is greatly appreciated.

Question by:shp44
    LVL 2

    Expert Comment

    bullet proof would mean not having a web site at all. it can be a close to bullet proof using apache and "maybe" even IIS if configured properly. of course openssl as well. have you ever built an http / https server? try linux?
    LVL 53

    Expert Comment

    by:Will Szymkowski
    Hello there,

    This link will tell you how you can set your SSL up to your website.

    This link also gives you information on how to keep your website secure.

    Hope this helps
    LVL 11

    Assisted Solution

    Well think Security In-Depth

    Put the Webserver on a properly configured DMZ with access to the DMZ controlled by a firewall.. Only allow http and https traffic to said webserver from the internet.
    Control outbound access from the Webserver to only established traffic . This helps prevent any buffer overflow / reverse command shells etc.

    Harden the server (which ever operating system you like ) by removing any unrequired services . If possible remove the service vs. disabling them .

    On your web platform (Apache , IIS etc ) remove all unrequired functionality and file extensions ( ie IIS remove id?, htw and all the others not required ), do not add other functionality unless required ( Perl , PHP etc).

    Configure your backend to only accept connections from the webserver or imtermidiary.

    It basically comes down to proper design and planning.

    Author Comment


    Let me be  a little more specific, we currently have a site w/IIS 6.0 behind a firewall, in a DMZ, but till now we have only had users review their accounts not able to do transactions, basically a one way street.

    This is now phase two, users will be able be able to create transactions. We need to have a secure link(SSL, IPSEC? open to suggestions). and we are looking to implement a VPN for tech users to securely  troubleshoot remotely, i.e home.
     So we are looking for a solution to fit both of these user groups.

    Thanks again
    LVL 6

    Assisted Solution

    Great - you already have IIS set up. I would recommend IPSEC, but only if it's your own clients that are going to connect to your server.. take small steps with this. It's very easy to break a secure implementation.

    If you are really starting from scratch, I would install apache on linux (probably debian) and install mod_ssl and whatever other dependencies you require. I would only go this route because your server will be in a DMZ, so you really need to protect it as much as possible from the get-go. There's no gui (unless you want one), but it's a lot more secure than a windows box, because you only install the services you require: start with a bare bones box and add services as you need them - which will only be apache and its dependencies..

    You will need an SSL cert - many are available

    I found a really cheap class A cert authority recently when reissuing certs for some of my own servers - sell 256bit certificates from $38 USD for one year.. they are issued by IPS Servidores, who are a default trusted certification authority in mozilla/firefox/ie browsers :)

    there are many VPN's available and really it's all down to cost.
    Think about whether you need 2 factor authentication (a necessity in my opinion if you are giving remote management rights to anyone), and VPN-SSL tunnelling. Citrix Access Gateway is a fantastic, certificate-based appliance which can give your administrators or other users access not only to your DMZ but to internal servers if you so choose.
    I would really suggest getting a couple of vendors in and seeing what they have to offer.
    LVL 10

    Accepted Solution

    If you want to be as close to bulletproof as possible, I would suggest reading the NSA's guidelines for securing Windows and IIS:

    Take a look at this document also. It has a checklist for windows 2000 which can possibly be applied to whatever server you're currently running:

    LVL 6

    Expert Comment

    Can I suggest you look at implementing two factor authentication.

    Most online banks are heading towards two factor authentication when the second password or key is transmitted to the end user over a different medium. Such as "Text message to Cell Phone"

    This combined with hardening your IIS server and running https "ssl" at a reasonable crypto level should suffice. Hardening an IIS server.


    LVL 6

    Expert Comment

    You will not find anything as secure as this:

    for web based applications.

    Trouble is it costs alot :(
    LVL 51

    Expert Comment

    >  You will not find anything as secure as this:
    While Imperva's product is more like an IPS, it's just that and does not protect completely, while other products can ensure some kind of protection by definition (I don't say that SecureShere does not protect, or that other products protect better).
    If you recommend WAFs, please don't stick on a product 'cause they all have their pros and cons, currently, somehow, ...
    Well, you may believe in marketing chatter, that's up to you ;-)

    Back to the initial question:
    bulletproof is impossible, already said.
    I'm still missing "what" should be protected.
    I guess that it is obvious that the OS of the web server is hardend, that it is protected by a (traditional network) firewall, that it resides in a DMZ, that the DMZ has no active connections to the backend, and so on ...
    So the web server itself (IIS) needs to be hardend, and *all* its applications also. The later will be the most important part.
    Then you may consider using a WAF (Web Application Firewall) too just to raise the bar, or to protect your weak/vilnerable applications.
    LVL 6

    Expert Comment

    > Well, you may believe in marketing chatter, that's up to you ;-)

    LMAO....I dont believe in marketing chatter as I have been too long in this game.  I have installed it in one of the biggest corporate enterprises in the UK.

    It works at all layers and protects the web server(s) from all sorts of attacks and I for one am very impressed with the product .  So I rate this product from personal experience and not from marketing chatter.

    Plus I did not say it will protect completely, I said that at this moment in time I dont think there is anything more secure, unless another expert (from this forum or people I generally come in to contact with tell me otherwise) advises me there is other products that do a better job - then I will look into it.

    Please refrain from telling me how I believe in a product. :)

    Nine times out of ten if you recommend a technology, someone will say which one so unless its against expert exchanges rules to recommend a product then I will continue to do so.

    LOL you also mention WAFs at the end of your post :P

    No more on this topic from me as I am here to help not hinder ;)

    P.S.  I am not employed by imperva in any way ;)
    LVL 51

    Expert Comment

    Nzarth, my writing was just about the message in the sentence I quoted, no personal offence at all (read the smileys too:)
    LVL 6

    Expert Comment

    I still say two factor.

    Oh and another product .... Checkpoint Enterprise edition with smart defense. ;o)

    but then if you have hardened the server in alignment with best practice and are using two factor authenticaiton are half way there. You should investigate some sort of protection ... something that works at IDS layer. But if you are talking large transactions your should probably call in an expert and pay him the consultancy fee to design the system.

    I am rather bemused that you are asking questions in this forum that should be asnswered by someone that specialises in the area.

    Pay the money, get someone in, and you have someone else to blame if this goes pear shaped.

    Nuff said.!

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Join & Write a Comment

    Suggested Solutions

    Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
    If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now