RE: IIS 4 Security

anyluser wrote:

> So what do yall think? How secure is a pw protected

  Reactions:

• Your site is only as secure as your server is. Have you applied the latest patches to IIS? I'm not sure how IIS 4.0 compares to 5.0 in terms of known exploits and available patches. Given the prevalence of buffer overflow attacks for the Win32 platform in general and IIS in particular, there might be exposures that are exploitable in the request stream prior to HTTP authentication (although that happens pretty early), and you can also be exposed to activities by your authenticated users as well.
• Have you disabled all unnecessary services on the server host? Have you removed all unnecessary scripts or other web-accessible executable content on the server host?
• Have you restricted IP access to the host to only the services its offering (i.e. TCP port 80 for HTTP)?
• Your site is only as secure as your applications are. Authenticated users could exploit flaws in your application code to gain access to unauthorized activities. Common exploits include tampering with hidden form fields and injection of SQL code into form responses.
• If you're not going to use SSL, I'd recommend implementing if possible a digest-style authentication scheme to prevent on-the-wire password snooping. This is fairly easily accomplished using a Javascript implementation of SHA-1, which is available at http://pajhome.org.uk/crypt/md5/. This is what Yahoo! uses to authenticate their users in many places. I can expand on this if you like.

  Best regards,

  -brian   Received on Wed Dec 11 14:07:46 2002