What is the best way to do Web Security

[bigfoot]

I am running NT4 & IIS 4 and I want to build a name & password setup where only some of my customers can get in to the website. I also have ASP installed and I wanna use SQL Server to track users if possible.

 

[mhadlock]

The best way to implemet secutiry in IIS is to add the user to the Usermanager for domains, then you need to remove the anonymous access in IIS for that directory/website, make sure that the internet guest account does not have any NTFS permissions on that directory. Then you can give the user the permissions that you want using NTFS permissions. As for using SQL, you could log the site to the ODBC plugin and then you could keep track of the activity of the users through that.

 

[bigfoot]

When I removed the anonymous access it gave me a msgbox that said passwords are being sent over the internet and not to do this.<br>I only want my customers to be able to UL & D/L files.

 

[ironthorn]

<br>&nbsp;&nbsp;&nbsp;&nbsp;What I've done on one site was to have everybody come in through HTTP. <br>They log in through Cold Fusion forms I built. Cold Fusion on this machine<br>runs under a specific account which has rights only to certain directories. <br>Each user only sees what they are allowed to see since they have to go<br>through my forms to see the dirs, and files. If you want to be really secure<br>you can do the same thing and use SSL to prevent passing user info in<br>clear text. <br><br>&nbsp;&nbsp;&nbsp;FTP is unsecure. Far as I know there is no real way to secure it since <br>user IDs and PWs are passed clear text. That is one of the reasons I<br>built an equivalent of FTP in Cold Fusion. It also gave me custom logging<br>and control over the site I otherwise would not have had. <br><br>&nbsp;&nbsp;Might be you want to do something along the same lines.