Website security

Posted on 2006-05-19
Medium Priority
Last Modified: 2010-04-11
Hi all

My company is setting up a website for users to be make financial transactions, we basically(not so basic) need to make the website bulletproof.
Any help is greatly appreciated.

Question by:shp44
  • 2
  • 2
  • 2
  • +6

Expert Comment

ID: 16720926
bullet proof would mean not having a web site at all. it can be a close to bullet proof using apache and "maybe" even IIS if configured properly. of course openssl as well. have you ever built an http / https server? try linux? www.centos.org?
LVL 53

Expert Comment

by:Will Szymkowski
ID: 16720937
Hello there,

This link will tell you how you can set your SSL up to your website.


This link also gives you information on how to keep your website secure.


Hope this helps
LVL 11

Assisted Solution

prueconsulting earned 600 total points
ID: 16721088
Well think Security In-Depth

Put the Webserver on a properly configured DMZ with access to the DMZ controlled by a firewall.. Only allow http and https traffic to said webserver from the internet.
Control outbound access from the Webserver to only established traffic . This helps prevent any buffer overflow / reverse command shells etc.

Harden the server (which ever operating system you like ) by removing any unrequired services . If possible remove the service vs. disabling them .

On your web platform (Apache , IIS etc ) remove all unrequired functionality and file extensions ( ie IIS remove id?, htw and all the others not required ), do not add other functionality unless required ( Perl , PHP etc).

Configure your backend to only accept connections from the webserver or imtermidiary.

It basically comes down to proper design and planning.
Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.


Author Comment

ID: 16721780

Let me be  a little more specific, we currently have a site w/IIS 6.0 behind a firewall, in a DMZ, but till now we have only had users review their accounts not able to do transactions, basically a one way street.

This is now phase two, users will be able be able to create transactions. We need to have a secure link(SSL, IPSEC? open to suggestions). and we are looking to implement a VPN for tech users to securely  troubleshoot remotely, i.e home.
 So we are looking for a solution to fit both of these user groups.

Thanks again

Assisted Solution

sr1xxon earned 300 total points
ID: 16722133
Great - you already have IIS set up. I would recommend IPSEC, but only if it's your own clients that are going to connect to your server.. take small steps with this. It's very easy to break a secure implementation.

If you are really starting from scratch, I would install apache on linux (probably debian) and install mod_ssl and whatever other dependencies you require. I would only go this route because your server will be in a DMZ, so you really need to protect it as much as possible from the get-go. There's no gui (unless you want one), but it's a lot more secure than a windows box, because you only install the services you require: start with a bare bones box and add services as you need them - which will only be apache and its dependencies..

You will need an SSL cert - many are available

I found a really cheap class A cert authority recently when reissuing certs for some of my own servers - http://certs.ipsca.com sell 256bit certificates from $38 USD for one year.. they are issued by IPS Servidores, who are a default trusted certification authority in mozilla/firefox/ie browsers :)

there are many VPN's available and really it's all down to cost.
Think about whether you need 2 factor authentication (a necessity in my opinion if you are giving remote management rights to anyone), and VPN-SSL tunnelling. Citrix Access Gateway is a fantastic, certificate-based appliance which can give your administrators or other users access not only to your DMZ but to internal servers if you so choose.
I would really suggest getting a couple of vendors in and seeing what they have to offer.
LVL 10

Accepted Solution

victornegri earned 300 total points
ID: 16723001
If you want to be as close to bulletproof as possible, I would suggest reading the NSA's guidelines for securing Windows and IIS:

Take a look at this document also. It has a checklist for windows 2000 which can possibly be applied to whatever server you're currently running:



Expert Comment

ID: 16723100
Can I suggest you look at implementing two factor authentication.

Most online banks are heading towards two factor authentication when the second password or key is transmitted to the end user over a different medium. Such as "Text message to Cell Phone"

This combined with hardening your IIS server and running https "ssl" at a reasonable crypto level should suffice.

http://www.wilsonmar.com/1iiscfg.htm Hardening an IIS server.



Expert Comment

ID: 16723773
You will not find anything as secure as this:


for web based applications.

Trouble is it costs alot :(
LVL 51

Expert Comment

ID: 16724296
>  You will not find anything as secure as this:
While Imperva's product is more like an IPS, it's just that and does not protect completely, while other products can ensure some kind of protection by definition (I don't say that SecureShere does not protect, or that other products protect better).
If you recommend WAFs, please don't stick on a product 'cause they all have their pros and cons, currently, somehow, ...
Well, you may believe in marketing chatter, that's up to you ;-)

Back to the initial question:
bulletproof is impossible, already said.
I'm still missing "what" should be protected.
I guess that it is obvious that the OS of the web server is hardend, that it is protected by a (traditional network) firewall, that it resides in a DMZ, that the DMZ has no active connections to the backend, and so on ...
So the web server itself (IIS) needs to be hardend, and *all* its applications also. The later will be the most important part.
Then you may consider using a WAF (Web Application Firewall) too just to raise the bar, or to protect your weak/vilnerable applications.

Expert Comment

ID: 16724855
> Well, you may believe in marketing chatter, that's up to you ;-)

LMAO....I dont believe in marketing chatter as I have been too long in this game.  I have installed it in one of the biggest corporate enterprises in the UK.

It works at all layers and protects the web server(s) from all sorts of attacks and I for one am very impressed with the product .  So I rate this product from personal experience and not from marketing chatter.

Plus I did not say it will protect completely, I said that at this moment in time I dont think there is anything more secure, unless another expert (from this forum or people I generally come in to contact with tell me otherwise) advises me there is other products that do a better job - then I will look into it.

Please refrain from telling me how I believe in a product. :)

Nine times out of ten if you recommend a technology, someone will say which one so unless its against expert exchanges rules to recommend a product then I will continue to do so.

LOL you also mention WAFs at the end of your post :P

No more on this topic from me as I am here to help not hinder ;)

P.S.  I am not employed by imperva in any way ;)
LVL 51

Expert Comment

ID: 16725010
Nzarth, my writing was just about the message in the sentence I quoted, no personal offence at all (read the smileys too:)

Expert Comment

ID: 16725013
I still say two factor.

Oh and another product .... Checkpoint Enterprise edition with smart defense. ;o)

but then if you have hardened the server in alignment with best practice and are using two factor authenticaiton ....you are half way there. You should investigate some sort of protection ... something that works at IDS layer. But if you are talking large transactions your should probably call in an expert and pay him the consultancy fee to design the system.

I am rather bemused that you are asking questions in this forum that should be asnswered by someone that specialises in the area.

Pay the money, get someone in, and you have someone else to blame if this goes pear shaped.

Nuff said.!

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's take a look into the basics of ransomware—how it spreads, how it can hurt us, and why a disaster recovery plan is important.
When you put your credit card number into a website for an online transaction, surely you know to look for signs of a secure website such as the padlock icon in the web browser or the green address bar.  This is one way to protect yourself from oth…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question