Page #46 (Chapter 5 - Securing an IIS Application)

Previous page
Table of content
Next page

Chapter 5 - Securing an IIS Application

Visual Basic Developers Guide to ASP and IIS
A. Russell Jones
  Copyright 1999 SYBEX Inc.
Improve Site Security
You've implemented the rudiments of sign-on/password security, but there are some serious security holes in the site. First, the way the project is set up, you have to provide write access to the application so it can write the registration file. That's a bad security practice because it's relatively easy to fool a server into writing files. Someone might manage to upload malevolent code onto your server. Worse yet, try typing this URL into your browser (you will need to substitute your own server name and virtual directory name):
http://myServer/SecuredSite/registration.txt
Bad isn't it? Any person who knows the name of the registration file could obtain all the sign-ons and passwords.
Second, anybody can register—and there's little point in providing security if you then let anyone in who can invent a sign-on and password, unless you're just trying to capture personal information, such as contact information for visitors to your site. It would be much better to have a site administrator assign sign-ons to individuals. If you're really looking for good security, you should assign passwords as well, because people tend to select easy-to-guess passwords or to reuse them in many places.
Here are several ways you could improve the security for the site:
  Move the registration file to a directory outside of your Web root and outside of your File Transfer Protocol (FTP) root. That way, people won't be able to find it easily.
  Change the method for storing registration information from a file-based system to a secured database.
  Add administrative options to assign sign-ons and passwords.
  Add automatic password changes after a specific period of time has elapsed. For example, you might force people to change passwords each month, with a one-week grace period. People with expired passwords would need to contact an administrator to obtain a new one.
  Use NT user- or group-level security to restrict access to the directory. You'll see more about this in the next section. If you do this, you may not need sign-on and password security in your application; you can use the NT security instead.

Previous page
Table of content
Next page
Visual Basic Developer[ap]s Guide to ASP and IIS
Visual Basic Developer[ap]s Guide to ASP and IIS
ISBN: 782125573
EAN: N/A
Year: 2005
Pages: 98
BUY ON AMAZON
Database Modeling with MicrosoftВ® Visio for Enterprise Architects (The Morgan Kaufmann Series in Data Management Systems)
Developing Tablet PC Applications (Charles River Media Programming)
Information Dashboard Design: The Effective Visual Communication of Data
802.11 Wireless Networks: The Definitive Guide, Second Edition
Java Concurrency in Practice
Understanding Digital Signal Processing (2nd Edition)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy