Protecting Your Computer


If you re hosting a Web site on your own computer, you re taking on the responsibilities of a system administrator. In Chapter 3, I outlined the security precautions you should take before opening your computer to the Internet. In this section, I ll provide advice about how to protect your computer if you re using it to host a Web site.

Restricting Access to Your Computer

A primary security precaution is to keep people from being able to get to your computer (except for the very limited access that you want to allow), which you can accomplish through the use of a firewall. A firewall is an essential security system that monitors traffic coming in to your computer (some firewalls also monitor outgoing traffic) and discards any traffic that you haven t explicitly allowed in the firewall s configuration. A good primer on firewalls is the article Checklist: Install a Firewall on the Microsoft security site at http://microsoft.com/security/articles/firewall.asp.

In general, your firewall should be configured to close all the ports, or communications portals, on your computer except the ports that you explicitly want open. By convention, Web servers listen for incoming requests on port 80, so if you re hosting a Web site on your computer, you must configure your firewall to leave port 80 open so that your Web server can receive requests. If you re not sure what ports your computer or firewall currently has open, you can visit a port-scanning site on the Web. Port-scanning sites test your firewall by attempting to access the most commonly used ports on your computer and then displaying a report. In effect, port-scanning sites perform benignly the same kind of port scanning that a cracker might perform with more nefarious purposes in mind. One of the most popular port-scanning sites is the ShieldsUp! site maintained by Gibson Research at http://www.grc.com/.

Hardware routers offer additional protection because they form a physical barrier between your computer and the Internet. When you have a router, your modem is connected to the router instead of to your computer, and the router owns the IP address open to the Internet. Your computer is on a private network behind the router (even if your network consists of a single computer), with a different IP address that s completely invisible to the Internet.

Don t forget the sometimes-overlooked precaution of physically securing your computer. If the computer is in a public facility such as an office, keep it locked up. Protect the computer with strong passwords (long passwords that include non-alphabetic characters), and be sure that the password isn t written down in a location where an unauthorized user can easily find it.

Restricting Access to Resources on the Computer

If you re hosting a Web site, you re going to allow some access to your computer so that people can get to your Web server. But you want to minimize that access to just the resources that your Web users require. Start by making sure that every hard disk on your computer is formatted to use the NTFS file system instead of the FAT file system. The FAT file system was designed for single-user desktop versions of Windows such as Windows 95 and Windows 98 and offers only primitive security facilities. In contrast, NTFS, which was developed for server versions of Windows, allows you to set permissions on files and folders that grant or deny file access to individual user or group accounts on your Web server computer. (For a good overview of the differences between FAT and NTFS file systems, read the article Choosing between NTFS, FAT, and FAT32 at http://www.microsoft.com/technet/prodtechnol/winxppro/proddocs/.) Ideally, the files on your Web server computer would be accessible only to administrator-level users except for the files that are part of your Web application. Even then, you would ideally make your Web application files read-only except for the few files that users might need to write to. The principle of granting only the most limited permissions possible is known as the least privileges principle and is an important part of maintaining security on your site.

In addition, you should lock down your Web server computer by uninstalling or disabling any programs or features that you don t need and that might constitute a security threat. For example, in addition to supporting a Web server and a Simple Mail Transfer Protocol (SMTP) server, IIS allows you to run a File Transfer Protocol (FTP) server. But if you don t need an FTP server, be sure that the FTP server feature of IIS is not installed. In Chapter 15, I described how to use the SMTP virtual server in IIS to allow your Web applications to send e-mail messages. If you don t want or need to send e-mail messages, don t install the SMTP server. If you don t need the FTP and SMTP servers, not only should you uninstall them, but also you should configure your firewall to block ports 21 and 25, which are the ports used by the FTP and SMTP services, respectively.

The Microsoft Web site has a number of tools and articles to help you configure a Web server computer with least privileges, including the following:

  • For those new to security on home computers, the series of articles named 5-Minute Security Advisor on the Microsoft TechNet Web site (http://www.microsoft.com/technet/treeview/default.asp?url=/technet/ ) provide an excellent, easy-to-understand overview.

  • The Microsoft Baseline Security Analyzer, available at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/Tools/MBSAhome.asp. This analysis tool scans your computer for potential security flaws and creates a detailed report that lists everything from potential problems in Microsoft Outlook to missing security patches in Windows. Run this tool as soon as practical. I guarantee that you ll be surprised to see the types of vulnerabilities your computer currently exposes.

  • The article Secure Internet Information Services 5 Checklist at http:/ /www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ tools/chklist/iis5chk.asp contains a comprehensive list of suggestions for securing a Web site that uses IIS 5.

  • The article An Introductory Guide to Building and Deploying More Secure Sites with ASP.NET and IIS at http://msdn.microsoft.com/library/default.asp?url=/msdnmag/issues/02/04/ASPSec/ toc.asp?frame=true is a two-part, in-depth discussion of using IIS and ASP.NET securely.

  • The article ASP .NET Security Issues at http://msdn.microsoft.com/ is a more advanced article on ASP.NET security.

Many more articles are available. A good starting place is the Microsoft security site at http://www.microsoft.com/security/.

Staying on Top of Security

You re never completely finished when it comes to securing your computer and your site. As new security problems are found, Microsoft and other vendors release patches to fix the problems. You can find the latest information at the Microsoft security site. If you re running Windows XP, take advantage of the Windows Update feature, which can alert you when a new patch is available. More generally, if you want to run a Web site from your computer, you should learn as much as you can about Windows security and Web security.

General Recommendations

Last but not least, you should take general security precautions to protect your computer. Follow these recommendations:

Keeping your Web server computer secure is critical, but it s only the first part of your security goals. In addition, you must create Web applications that follow good security practices. Let s turn our attention now to the software side of security.




Microsoft ASP. NET Web Matrix Starter Kit
Microsoft ASP.NET Web Matrix Starter Kit (Bpg-Other)
ISBN: 0735618569
EAN: 2147483647
Year: 2003
Pages: 169
Authors: Mike Pope
BUY ON AMAZON

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net