Law 4: If you allow a bad guy to upload programs to your Web site, it s not your Web site any more

Law #4: If you allow a bad guy to upload programs to your Web site, it's not your Web site any more

This is basically Law #1 in reverse. In that scenario, the bad guy tricks his victim into downloading a harmful program onto his computer and running it. In this one, the bad guy uploads a harmful program to a computer and runs it himself. Although this scenario is a danger anytime you allow strangers to connect to your computer, Web sites are involved in the overwhelming majority of these cases. Many people who operate Web sites are too hospitable for their own good, and allow visitors to upload programs to the site and run them. As we've seen above, unpleasant things can happen if a bad guy's program can run on your computer.

If you run a Web site, you need to limit what visitors can do. You should only allow a program on your site if you wrote it yourself, or if you trust the developer who wrote it. But that may not be enough. If your Web site is one of several hosted on a shared server, you need to be extra careful. If a bad guy can compromise one of the other sites on the server, it's possible he could extend his control to the server itself, in which case he could control all of the sites on itincluding yours. If you're on a shared server, it's important to find out what the server administrator's policies are. (By the way, before opening your site to the public, make sure you've followed the security checklists for IIS 4.0 and IIS 5.0.)