Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

General Site Access Security Question 1

Status
Not open for further replies.
bgreenhouse

bgreenhouse

Technical User
Feb 20, 2000
231
CA
This is a really general question, I have no knowledge of or experience security issues, so I'm asking here. I have a site consisting of Active Server Pages. I have a login that compares your ID number and PIN with the database, then, if it's correct, assigns a session variable to true. Every page then checks to see if that variable is true before displaying. If it is false, empty or anything other than true, then the browser is redirected to the login page. This scripting is all done server side so it can't be seen from a client (I hope). Now - assuming the server is well protected (I'm using a large hosting company, so I would hope - probably wrongly - that the server is relatively secure), is this a secure method of protecting your website?

Again, I'm a beginner so let me have it gently.

Ben
 
Sort by date Sort by votes
What you've got is pretty good. There's no way for a web client to see the ASP page, other than if they gain access to the server.

Your users are vulnerable to poor passwords and social engineering, but it may not be so bad if someone breaks into the application.

I would say that your greatest danger is someone breaking into the file system of the web server. This can occur because someone exploits a vulnerability in the operating system or web server software, but more likely is their gaining access through one of the above techniques (poor passwords and social engineering).

From my time dealing with Exodus, they are very strict in who they will talk to over the phone. If you're not on their list, they hang up on you. We also had the firewall deny access except from certain IP addresses. This prevented our customers from using dial-up access, but it was better than being sued because someone's medical records got out.

Poor passwords is your biggest vulnerability. You should ensure that all passwords expire regularly, and require a mixture of numerics and alpha. You should avoid the skool kidz technique of replacing letters with similarly shaped numbers (such as "c00l pa55w0rd"), the automated hacker tools are on to that now. Best way is the hard way -- a truly random password. Let your people write it down and carry it in their wallets. Chances of the bad guys using strong-arm tactics are remote (especially if your state allows concealed carry :) ).

If your developers are using FTP to update the site, you should know that FTP transmits passwords unencrypted. They need to find another way to upload files. What I've done is use Windows Terminal server to turn FTP on, connected via FTP to send my files up, turn FTP off, then changed the password of the account I used for FTP. The terminal server data stream is much harder to figure out than FTP or Telnet.

Chip H.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
576
intel233
intel233
gbayi_omo
  • Locked
  • Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
117
gbayi_omo
gbayi_omo
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
705
Shmid
Shmid
jfp23
  • Locked
  • Question
Site to Site VPN Security
Replies
2
Views
140
PScottC
PScottC
abhi21
  • Locked
  • Question
Interesting article on Cyber Security
Replies
0
Views
111
abhi21
abhi21

Part and Inventory Search

Sponsor

Back
Top