Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

How secure am I?

Posted on 2006-06-13
7
Medium Priority
?
324 Views
Last Modified: 2010-04-11
Hi Experts,

I have created a webiste that requires user authentication and login.  This site was created in Dreamweaver 8 running on IIS 5.1.  The user accesses the site, types in a pre-assigned password and user ID and is admitted to the site.  All pages within the site are restricted if there is not a properly authenticated user session.  My question is, is this enough security or should I do something else to make sure this site is not accessible to anyone who does not have the appropriate credentials?

Thank you,
ODATech
0
Comment
Question by:ODATech
7 Comments
 
LVL 1

Expert Comment

by:sgh_aba
ID: 16896751
IIS 6 with AD installed would be more secure.  Are you running SSL (443) or just port 80 (http)?  Is there a firewall between your Internet connection and this webserver?

sgh_aba
0
 

Author Comment

by:ODATech
ID: 16896781
... just port 80 (http).  The web server is in front of the firewall.
0
 
LVL 1

Expert Comment

by:sgh_aba
ID: 16896856
Why not put behind the firewall and setup a static nat to your webserver and only allow  443 and 80 into it?  

hanging a webserver directly out on the net is like holding up a sign in Iraq that says "shoot me"...  sorry for the metaphore but that's what popped into my head...

Even with the webserver behind the FW you're not totally safe.  I'd still get the webserver up to IIS 6.0 with a local install of AD in it's own domain, not a workgroup.

good luck

sgh_aba
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

 
LVL 32

Accepted Solution

by:
r-k earned 2000 total points
ID: 16897700
I would say that while the suggestions above are certainly good for added security, it all depends on the tradeoffs. If you are protecting something very valuable so that a break-in would be very expensive, then by all means you need to take those steps, and more. But for everyday type of stuff, you may not need to do a lot more. The one thing you can do for free, and which I think you should do, is to download and run MBSA from: http://www.microsoft.com/technet/security/tools/mbsahome.mspx and follow the guidelines it recommends for security updates etc.

Also, keep a good backup, this is necessary whether the site is hacked or not. Disks fail all the time!
0
 
LVL 1

Expert Comment

by:sgh_aba
ID: 16899267
Good point r-k.

Sometimes what I do on exposed Web servers that don't hold any data is fully image the box after it's fully configured.  Lay that image down on another drive and swap drive to prove that it comes up ok.  Then if you're taken out just swap the drives and lay the image down on the spare again...

sgh_aba
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 16901389
There are two unpatched vulnerablities in IIS 5.x still
http://secunia.com/product/39/ (scroll down a ways)
There are two iis 6 vuln's total... both patched. IIS 6 is a recomended upgrade.
http://secunia.com/product/1438/
-rich
0
 

Author Comment

by:ODATech
ID: 16901440
Thanks, Experts!  Should I do anything to the permissinos on this application?  I have an IUSR account and an EVERYONE but both have read only.

FYI ... IIS 6.0 is in the forecast for late 2006, but I wanted to make sure that this app was as secure as I could get it without too much more expense (dollars and minutes!) for now.  It isn't "top secret we're all going to die critical information," but it is sensitive in that we don't want everyone to be able to access it.

Thanks again.  :o)

0

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Last month Marc Laliberte, WatchGuard’s Senior Threat Analyst, contributed reviewed the three major email authentication anti-phishing technology standards: SPF, DKIM, and DMARC. Learn more in part 2 of the series originally posted in Cyber Defense …
Spectre and Meltdown, how it affects me and my clients?
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question