Solved

How secure am I?

Posted on 2006-06-13
7
315 Views
Last Modified: 2010-04-11
Hi Experts,

I have created a webiste that requires user authentication and login.  This site was created in Dreamweaver 8 running on IIS 5.1.  The user accesses the site, types in a pre-assigned password and user ID and is admitted to the site.  All pages within the site are restricted if there is not a properly authenticated user session.  My question is, is this enough security or should I do something else to make sure this site is not accessible to anyone who does not have the appropriate credentials?

Thank you,
ODATech
0
Comment
Question by:ODATech
7 Comments
 
LVL 1

Expert Comment

by:sgh_aba
Comment Utility
IIS 6 with AD installed would be more secure.  Are you running SSL (443) or just port 80 (http)?  Is there a firewall between your Internet connection and this webserver?

sgh_aba
0
 

Author Comment

by:ODATech
Comment Utility
... just port 80 (http).  The web server is in front of the firewall.
0
 
LVL 1

Expert Comment

by:sgh_aba
Comment Utility
Why not put behind the firewall and setup a static nat to your webserver and only allow  443 and 80 into it?  

hanging a webserver directly out on the net is like holding up a sign in Iraq that says "shoot me"...  sorry for the metaphore but that's what popped into my head...

Even with the webserver behind the FW you're not totally safe.  I'd still get the webserver up to IIS 6.0 with a local install of AD in it's own domain, not a workgroup.

good luck

sgh_aba
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 32

Accepted Solution

by:
r-k earned 500 total points
Comment Utility
I would say that while the suggestions above are certainly good for added security, it all depends on the tradeoffs. If you are protecting something very valuable so that a break-in would be very expensive, then by all means you need to take those steps, and more. But for everyday type of stuff, you may not need to do a lot more. The one thing you can do for free, and which I think you should do, is to download and run MBSA from: http://www.microsoft.com/technet/security/tools/mbsahome.mspx and follow the guidelines it recommends for security updates etc.

Also, keep a good backup, this is necessary whether the site is hacked or not. Disks fail all the time!
0
 
LVL 1

Expert Comment

by:sgh_aba
Comment Utility
Good point r-k.

Sometimes what I do on exposed Web servers that don't hold any data is fully image the box after it's fully configured.  Lay that image down on another drive and swap drive to prove that it comes up ok.  Then if you're taken out just swap the drives and lay the image down on the spare again...

sgh_aba
0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
There are two unpatched vulnerablities in IIS 5.x still
http://secunia.com/product/39/ (scroll down a ways)
There are two iis 6 vuln's total... both patched. IIS 6 is a recomended upgrade.
http://secunia.com/product/1438/
-rich
0
 

Author Comment

by:ODATech
Comment Utility
Thanks, Experts!  Should I do anything to the permissinos on this application?  I have an IUSR account and an EVERYONE but both have read only.

FYI ... IIS 6.0 is in the forecast for late 2006, but I wanted to make sure that this app was as secure as I could get it without too much more expense (dollars and minutes!) for now.  It isn't "top secret we're all going to die critical information," but it is sensitive in that we don't want everyone to be able to access it.

Thanks again.  :o)

0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
OWA and AppPool problem 20 108
Virus Kronos 4 62
DDOS against DYN 9 81
Detect unauhtorized execution of program via SEP ADC 3 39
This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now