Hello,
Been working on a project using the Portal Starter Kit. Just about
ready to "go-live" when the bossman asks me "how safe is it". A vague
question at best, I know, but here's what I'd like to know to make
sure I'm covered when I say "pretty darn secure"
1) Has there been any instances of people being able to access
sections of the site w/o a role being assigned (or being logged in)?
2) Has anyone known of someone being able to impersonate a valid login
w/o actually logging in?
3) Has anyone succeeded in being able to change content w/o being
logged in?
...ok, so really that's just one big impersonation concen.
Here's what I've done to help out with this:
Code
* Removed all the default groups (Admin, etc).
* The login page (and all pages after that) are SSL secured
* Implemented a complex password scheme
* All data access is through stored procs (no open ended SQL)
IIS
* Moved root dir out of default location
* changed the generic IIS user account
* no FP extensions
* no FTP access
* killed the remote admin pieces
Any other steps that should be taken to help lock it down? I feel
pretty good about it, but am fairly new to .NET and would love any
feedback.
Thanks,
Eric 3 1555
Hi Eric:
One other place you might want to ask is in the asp.net forums: http://asp.net/forums/Default.aspx?tabindex=0&tabid=1
I think they have more discussion about the starter kits over there.
--
Scott http://www.OdeToCode.com
On 8 Sep 2004 18:02:50 -0500, er**********@rv kuhns-dot-com.no-spam.invalid (eridgway) wrote: Hello,
Been working on a project using the Portal Starter Kit. Just about ready to "go-live" when the bossman asks me "how safe is it". A vague question at best, I know, but here's what I'd like to know to make sure I'm covered when I say "pretty darn secure"
1) Has there been any instances of people being able to access sections of the site w/o a role being assigned (or being logged in)?
2) Has anyone known of someone being able to impersonate a valid login w/o actually logging in?
3) Has anyone succeeded in being able to change content w/o being logged in?
..ok, so really that's just one big impersonation concen.
Here's what I've done to help out with this:
Code * Removed all the default groups (Admin, etc). * The login page (and all pages after that) are SSL secured * Implemented a complex password scheme * All data access is through stored procs (no open ended SQL)
IIS * Moved root dir out of default location * changed the generic IIS user account * no FP extensions * no FTP access * killed the remote admin pieces
Any other steps that should be taken to help lock it down? I feel pretty good about it, but am fairly new to .NET and would love any feedback.
Thanks,
Eric
I use the portal starter kit and know of no security holes. the steps you
may wish to add in addition to those already mentioned is to
--remove the database connection string from the web.config file or encrypt
it if stored there.
--encrypt the url string so no one can try to hack their way in through that
door
you can also look here for additional ideas from this guy http://www.aspkey.net/aspkey/_servic...Assemblies.asp
"eridgway" <er**********@r vkuhns-dot-com.no-spam.invalid> wrote in message
news:41******** @Usenet.com... Hello,
Been working on a project using the Portal Starter Kit. Just about ready to "go-live" when the bossman asks me "how safe is it". A vague question at best, I know, but here's what I'd like to know to make sure I'm covered when I say "pretty darn secure"
1) Has there been any instances of people being able to access sections of the site w/o a role being assigned (or being logged in)?
2) Has anyone known of someone being able to impersonate a valid login w/o actually logging in?
3) Has anyone succeeded in being able to change content w/o being logged in?
..ok, so really that's just one big impersonation concen.
Here's what I've done to help out with this:
Code * Removed all the default groups (Admin, etc). * The login page (and all pages after that) are SSL secured * Implemented a complex password scheme * All data access is through stored procs (no open ended SQL)
IIS * Moved root dir out of default location * changed the generic IIS user account * no FP extensions * no FTP access * killed the remote admin pieces
Any other steps that should be taken to help lock it down? I feel pretty good about it, but am fairly new to .NET and would love any feedback.
Thanks,
Eric
Thanks for the pointers folks.
In regards to the encryption of the QS values, I actually switched the
site over to use server.transfer for all the data entry pages to keep
that data hidden as well.
Anyone else have thoughts on this? This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Samuel Berry |
last post by:
I hope I am posting this to the correct newsgroup, I apoligize if I am in error.
I am looking into creating my own portal. I realize that there are several out there allready pre-built(ie asp.net Portal Starter Kit)
What I am looking for is either a book that produces one from start to finish where I can read and type in the code o
suggestions on how to take say, asp.net Portal Starter Kit and reproduce what is there
Thanks for any...
|
by: .net user |
last post by:
can some one point me what i'm doing wrong? I have spent half a day figuring
out and totally stuck now.
Here's what I'm trying to accomplish: I am writing a web appl - an intranet
portal site (based on the portal starter kit) and I want to apply role based
security to the site. - When the users type in the intranet URL, a windows
logon window would pop up and then users login with their NT credentials.
Based upon theie level of security...
|
by: Dan Sikorsky |
last post by:
How can I install the Portal starter kit to a different Solution/Project
name, having a different SQL Server database name? I'd like to start a new
solution using the Portal starter kit as a beginning point, and adapt it to
what my customer needs.
--
Dan Sikorsky, MSCS BSCE BAB
|
by: Jill Graham |
last post by:
Hi,
I'm looking at the ASP.NET Portal Starter Kit.
All pages within the application are redirected to the DesktopDefault.aspx
file.
The DesktopDefault.aspx file defines the layout of the page : a banner on
top of the page and three panes (leftpane, contentpane, rightpane).
I want to adapt the Portal as follows :
|
by: Kamil Tezduyar |
last post by:
I want to create a team to develop a web portal framework. The main
purpose of this framework is reusing this in many projects. The major idea
in my mind it, building it as much as flexible. We will create the framework
with the combinations of the team members. This development will be online
and we will use online source controls for both code, and documentation.
I think 5 asp.net experienced team member is enough for this project. I...
| |
by: Juan Gil |
last post by:
I have a problem with this. I installed it in my computer to modify it, but
when I try to save the configuration file(xml file) the server returned an
error that say that I dont have permissions to write in the server. How i can
write file in the server?.
|
by: ad |
last post by:
I modify the DesktopPortalBanner.ascx in the Portal Starter Kit
http://www.asp.net/Default.aspx?tabindex=8&tabid=47
I modify the text of Portal Home to Chinese.
It display well in design time, but it display a mess in run time.
How can I solve this problem?
|
by: |
last post by:
Hello,
I have a question about the lastest version of the portal starter kit. In
the old version, the configuration of the portal was defined in the database
("module" table). In the current version , all the configuration is in a XML
file. My question is Why did the author make this evolution ? Is it better
to load a XML file, then to rewrite it if the user change the portal config,
than to read and write modification in the database ?
...
|
by: eric34 |
last post by:
Hello,
I am looking at building a portal, and would like to make sure I pick th
eright technology. I have seen that asp.net 2.0 embed the notion of portal,
and figured that may be it would be the way to go. But I have discovered that
there is only a Portal starter kit for asp.net 1.1 and not for 2.0, so now I
am confused.
Have I missed it?
Thanks in advance for the help,
Eric
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| |
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |