Solved

How secure am I?

Posted on 2006-06-13
7
319 Views
Last Modified: 2010-04-11
Hi Experts,

I have created a webiste that requires user authentication and login.  This site was created in Dreamweaver 8 running on IIS 5.1.  The user accesses the site, types in a pre-assigned password and user ID and is admitted to the site.  All pages within the site are restricted if there is not a properly authenticated user session.  My question is, is this enough security or should I do something else to make sure this site is not accessible to anyone who does not have the appropriate credentials?

Thank you,
ODATech
0
Comment
Question by:ODATech
7 Comments
 
LVL 1

Expert Comment

by:sgh_aba
ID: 16896751
IIS 6 with AD installed would be more secure.  Are you running SSL (443) or just port 80 (http)?  Is there a firewall between your Internet connection and this webserver?

sgh_aba
0
 

Author Comment

by:ODATech
ID: 16896781
... just port 80 (http).  The web server is in front of the firewall.
0
 
LVL 1

Expert Comment

by:sgh_aba
ID: 16896856
Why not put behind the firewall and setup a static nat to your webserver and only allow  443 and 80 into it?  

hanging a webserver directly out on the net is like holding up a sign in Iraq that says "shoot me"...  sorry for the metaphore but that's what popped into my head...

Even with the webserver behind the FW you're not totally safe.  I'd still get the webserver up to IIS 6.0 with a local install of AD in it's own domain, not a workgroup.

good luck

sgh_aba
0
Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

 
LVL 32

Accepted Solution

by:
r-k earned 500 total points
ID: 16897700
I would say that while the suggestions above are certainly good for added security, it all depends on the tradeoffs. If you are protecting something very valuable so that a break-in would be very expensive, then by all means you need to take those steps, and more. But for everyday type of stuff, you may not need to do a lot more. The one thing you can do for free, and which I think you should do, is to download and run MBSA from: http://www.microsoft.com/technet/security/tools/mbsahome.mspx and follow the guidelines it recommends for security updates etc.

Also, keep a good backup, this is necessary whether the site is hacked or not. Disks fail all the time!
0
 
LVL 1

Expert Comment

by:sgh_aba
ID: 16899267
Good point r-k.

Sometimes what I do on exposed Web servers that don't hold any data is fully image the box after it's fully configured.  Lay that image down on another drive and swap drive to prove that it comes up ok.  Then if you're taken out just swap the drives and lay the image down on the spare again...

sgh_aba
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 16901389
There are two unpatched vulnerablities in IIS 5.x still
http://secunia.com/product/39/ (scroll down a ways)
There are two iis 6 vuln's total... both patched. IIS 6 is a recomended upgrade.
http://secunia.com/product/1438/
-rich
0
 

Author Comment

by:ODATech
ID: 16901440
Thanks, Experts!  Should I do anything to the permissinos on this application?  I have an IUSR account and an EVERYONE but both have read only.

FYI ... IIS 6.0 is in the forecast for late 2006, but I wanted to make sure that this app was as secure as I could get it without too much more expense (dollars and minutes!) for now.  It isn't "top secret we're all going to die critical information," but it is sensitive in that we don't want everyone to be able to access it.

Thanks again.  :o)

0

Featured Post

Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question