Solved

How secure am I?

Posted on 2006-06-13
7
320 Views
Last Modified: 2010-04-11
Hi Experts,

I have created a webiste that requires user authentication and login.  This site was created in Dreamweaver 8 running on IIS 5.1.  The user accesses the site, types in a pre-assigned password and user ID and is admitted to the site.  All pages within the site are restricted if there is not a properly authenticated user session.  My question is, is this enough security or should I do something else to make sure this site is not accessible to anyone who does not have the appropriate credentials?

Thank you,
ODATech
0
Comment
Question by:ODATech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 1

Expert Comment

by:sgh_aba
ID: 16896751
IIS 6 with AD installed would be more secure.  Are you running SSL (443) or just port 80 (http)?  Is there a firewall between your Internet connection and this webserver?

sgh_aba
0
 

Author Comment

by:ODATech
ID: 16896781
... just port 80 (http).  The web server is in front of the firewall.
0
 
LVL 1

Expert Comment

by:sgh_aba
ID: 16896856
Why not put behind the firewall and setup a static nat to your webserver and only allow  443 and 80 into it?  

hanging a webserver directly out on the net is like holding up a sign in Iraq that says "shoot me"...  sorry for the metaphore but that's what popped into my head...

Even with the webserver behind the FW you're not totally safe.  I'd still get the webserver up to IIS 6.0 with a local install of AD in it's own domain, not a workgroup.

good luck

sgh_aba
0
Transaction Monitoring Vs. Real User Monitoring

Synthetic Transaction Monitoring Vs. Real User Monitoring: When To Use Each Approach? In this article, we will discuss two major monitoring approaches: Synthetic Transaction and Real User Monitoring.

 
LVL 32

Accepted Solution

by:
r-k earned 500 total points
ID: 16897700
I would say that while the suggestions above are certainly good for added security, it all depends on the tradeoffs. If you are protecting something very valuable so that a break-in would be very expensive, then by all means you need to take those steps, and more. But for everyday type of stuff, you may not need to do a lot more. The one thing you can do for free, and which I think you should do, is to download and run MBSA from: http://www.microsoft.com/technet/security/tools/mbsahome.mspx and follow the guidelines it recommends for security updates etc.

Also, keep a good backup, this is necessary whether the site is hacked or not. Disks fail all the time!
0
 
LVL 1

Expert Comment

by:sgh_aba
ID: 16899267
Good point r-k.

Sometimes what I do on exposed Web servers that don't hold any data is fully image the box after it's fully configured.  Lay that image down on another drive and swap drive to prove that it comes up ok.  Then if you're taken out just swap the drives and lay the image down on the spare again...

sgh_aba
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 16901389
There are two unpatched vulnerablities in IIS 5.x still
http://secunia.com/product/39/ (scroll down a ways)
There are two iis 6 vuln's total... both patched. IIS 6 is a recomended upgrade.
http://secunia.com/product/1438/
-rich
0
 

Author Comment

by:ODATech
ID: 16901440
Thanks, Experts!  Should I do anything to the permissinos on this application?  I have an IUSR account and an EVERYONE but both have read only.

FYI ... IIS 6.0 is in the forecast for late 2006, but I wanted to make sure that this app was as secure as I could get it without too much more expense (dollars and minutes!) for now.  It isn't "top secret we're all going to die critical information," but it is sensitive in that we don't want everyone to be able to access it.

Thanks again.  :o)

0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Keystroke loggers have been around for a very long time. While the threat is old, some of the remedies are new!
A hard and fast method for reducing Active Directory Administrators members.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Suggested Courses

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question