E
eridgway
Hello,
Been working on a project using the Portal Starter Kit. Just about
ready to "go-live" when the bossman asks me "how safe is it". A vague
question at best, I know, but here's what I'd like to know to make
sure I'm covered when I say "pretty darn secure"
1) Has there been any instances of people being able to access
sections of the site w/o a role being assigned (or being logged in)?
2) Has anyone known of someone being able to impersonate a valid login
w/o actually logging in?
3) Has anyone succeeded in being able to change content w/o being
logged in?
...ok, so really that's just one big impersonation concen.
Here's what I've done to help out with this:
Code
* Removed all the default groups (Admin, etc).
* The login page (and all pages after that) are SSL secured
* Implemented a complex password scheme
* All data access is through stored procs (no open ended SQL)
IIS
* Moved root dir out of default location
* changed the generic IIS user account
* no FP extensions
* no FTP access
* killed the remote admin pieces
Any other steps that should be taken to help lock it down? I feel
pretty good about it, but am fairly new to .NET and would love any
feedback.
Thanks,
Eric
Been working on a project using the Portal Starter Kit. Just about
ready to "go-live" when the bossman asks me "how safe is it". A vague
question at best, I know, but here's what I'd like to know to make
sure I'm covered when I say "pretty darn secure"
1) Has there been any instances of people being able to access
sections of the site w/o a role being assigned (or being logged in)?
2) Has anyone known of someone being able to impersonate a valid login
w/o actually logging in?
3) Has anyone succeeded in being able to change content w/o being
logged in?
...ok, so really that's just one big impersonation concen.
Here's what I've done to help out with this:
Code
* Removed all the default groups (Admin, etc).
* The login page (and all pages after that) are SSL secured
* Implemented a complex password scheme
* All data access is through stored procs (no open ended SQL)
IIS
* Moved root dir out of default location
* changed the generic IIS user account
* no FP extensions
* no FTP access
* killed the remote admin pieces
Any other steps that should be taken to help lock it down? I feel
pretty good about it, but am fairly new to .NET and would love any
feedback.
Thanks,
Eric