Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


How secure am I?

Posted on 2006-06-13
Medium Priority
Last Modified: 2010-04-11
Hi Experts,

I have created a webiste that requires user authentication and login.  This site was created in Dreamweaver 8 running on IIS 5.1.  The user accesses the site, types in a pre-assigned password and user ID and is admitted to the site.  All pages within the site are restricted if there is not a properly authenticated user session.  My question is, is this enough security or should I do something else to make sure this site is not accessible to anyone who does not have the appropriate credentials?

Thank you,
Question by:ODATech
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 16896751
IIS 6 with AD installed would be more secure.  Are you running SSL (443) or just port 80 (http)?  Is there a firewall between your Internet connection and this webserver?


Author Comment

ID: 16896781
... just port 80 (http).  The web server is in front of the firewall.

Expert Comment

ID: 16896856
Why not put behind the firewall and setup a static nat to your webserver and only allow  443 and 80 into it?  

hanging a webserver directly out on the net is like holding up a sign in Iraq that says "shoot me"...  sorry for the metaphore but that's what popped into my head...

Even with the webserver behind the FW you're not totally safe.  I'd still get the webserver up to IIS 6.0 with a local install of AD in it's own domain, not a workgroup.

good luck

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

LVL 32

Accepted Solution

r-k earned 2000 total points
ID: 16897700
I would say that while the suggestions above are certainly good for added security, it all depends on the tradeoffs. If you are protecting something very valuable so that a break-in would be very expensive, then by all means you need to take those steps, and more. But for everyday type of stuff, you may not need to do a lot more. The one thing you can do for free, and which I think you should do, is to download and run MBSA from: http://www.microsoft.com/technet/security/tools/mbsahome.mspx and follow the guidelines it recommends for security updates etc.

Also, keep a good backup, this is necessary whether the site is hacked or not. Disks fail all the time!

Expert Comment

ID: 16899267
Good point r-k.

Sometimes what I do on exposed Web servers that don't hold any data is fully image the box after it's fully configured.  Lay that image down on another drive and swap drive to prove that it comes up ok.  Then if you're taken out just swap the drives and lay the image down on the spare again...

LVL 38

Expert Comment

by:Rich Rumble
ID: 16901389
There are two unpatched vulnerablities in IIS 5.x still
http://secunia.com/product/39/ (scroll down a ways)
There are two iis 6 vuln's total... both patched. IIS 6 is a recomended upgrade.

Author Comment

ID: 16901440
Thanks, Experts!  Should I do anything to the permissinos on this application?  I have an IUSR account and an EVERYONE but both have read only.

FYI ... IIS 6.0 is in the forecast for late 2006, but I wanted to make sure that this app was as secure as I could get it without too much more expense (dollars and minutes!) for now.  It isn't "top secret we're all going to die critical information," but it is sensitive in that we don't want everyone to be able to access it.

Thanks again.  :o)


Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

IF you are either unfamiliar with rootkits, or want to know more about them, read on ....
A new hacking trick has emerged leveraging your own helpdesk or support ticketing tools as an easy way to distribute malware.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question