Security

[yesterdays]

Hi,
I am a little bit worried about the security stuff. Is there anything that I can test my server with to see if it is safe. It's Windows 2003, IIS 6.0, PHP 4.3.9.

Cheers Yesterdays

 

[Olavxxx]

I know there are applications you can run, to check the security.

I think it might be an advantage to check from remote too, as local security might be less restricted.

I've used applications that generate html reports.

I have to regret to say that I dont remember the name of it, but it was shareware, so you could do all tests, but at a limited time (or something like that).

 

[DRJ478]

Go somewhere that performs port scans, UDP and TCP and reports back (there are several sites, just google) to see how your machine is exposed on the net.

IMHO some of the most important points about security issues are:

1. Make sure you don't create a loophole within your scripts.
2. PHP should run with register_globals turned OFF.
3. Be aware of the possibility of source code exposure through file extensions such as .ins, .bak etc.
4. Sorry to say, but extremely important: Patch your Microsoft software and check frequently for security updates, ideally daily.

 

[Bastien]

Also turn off all server features that are not required

like

finger
telnet
ftp
etc

Bastien

Cat, the other other white meat