473,378 Members | 1,106 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > asp.net > questions > portal starter kit - security concerns

Join Bytes to post your question to a community of 473,378 software developers and data experts.

Portal Starter Kit - Security Concerns

Hello,

Been working on a project using the Portal Starter Kit. Just about
ready to "go-live" when the bossman asks me "how safe is it". A vague
question at best, I know, but here's what I'd like to know to make
sure I'm covered when I say "pretty darn secure"

1) Has there been any instances of people being able to access
sections of the site w/o a role being assigned (or being logged in)?
2) Has anyone known of someone being able to impersonate a valid login
w/o actually logging in?

3) Has anyone succeeded in being able to change content w/o being
logged in?

...ok, so really that's just one big impersonation concen.

Here's what I've done to help out with this:

Code
* Removed all the default groups (Admin, etc).
* The login page (and all pages after that) are SSL secured
* Implemented a complex password scheme
* All data access is through stored procs (no open ended SQL)

IIS
* Moved root dir out of default location
* changed the generic IIS user account
* no FP extensions
* no FTP access
* killed the remote admin pieces
Any other steps that should be taken to help lock it down? I feel
pretty good about it, but am fairly new to .NET and would love any
feedback.

Thanks,

Eric

Nov 18 '05 #1
3 1542
Hi Eric:

One other place you might want to ask is in the asp.net forums:
http://asp.net/forums/Default.aspx?tabindex=0&tabid=1

I think they have more discussion about the starter kits over there.

--
Scott
http://www.OdeToCode.com

On 8 Sep 2004 18:02:50 -0500,
er**********@rvkuhns-dot-com.no-spam.invalid (eridgway) wrote:
Hello,

Been working on a project using the Portal Starter Kit. Just about
ready to "go-live" when the bossman asks me "how safe is it". A vague
question at best, I know, but here's what I'd like to know to make
sure I'm covered when I say "pretty darn secure"

1) Has there been any instances of people being able to access
sections of the site w/o a role being assigned (or being logged in)?
2) Has anyone known of someone being able to impersonate a valid login
w/o actually logging in?

3) Has anyone succeeded in being able to change content w/o being
logged in?

..ok, so really that's just one big impersonation concen.

Here's what I've done to help out with this:

Code
* Removed all the default groups (Admin, etc).
* The login page (and all pages after that) are SSL secured
* Implemented a complex password scheme
* All data access is through stored procs (no open ended SQL)

IIS
* Moved root dir out of default location
* changed the generic IIS user account
* no FP extensions
* no FTP access
* killed the remote admin pieces
Any other steps that should be taken to help lock it down? I feel
pretty good about it, but am fairly new to .NET and would love any
feedback.

Thanks,

Eric


Nov 18 '05 #2
TJS
I use the portal starter kit and know of no security holes. the steps you
may wish to add in addition to those already mentioned is to
--remove the database connection string from the web.config file or encrypt
it if stored there.
--encrypt the url string so no one can try to hack their way in through that
door

you can also look here for additional ideas from this guy

http://www.aspkey.net/aspkey/_servic...Assemblies.asp


"eridgway" <er**********@rvkuhns-dot-com.no-spam.invalid> wrote in message
news:41********@Usenet.com...
Hello,

Been working on a project using the Portal Starter Kit. Just about
ready to "go-live" when the bossman asks me "how safe is it". A vague
question at best, I know, but here's what I'd like to know to make
sure I'm covered when I say "pretty darn secure"

1) Has there been any instances of people being able to access
sections of the site w/o a role being assigned (or being logged in)?
2) Has anyone known of someone being able to impersonate a valid login
w/o actually logging in?

3) Has anyone succeeded in being able to change content w/o being
logged in?

..ok, so really that's just one big impersonation concen.

Here's what I've done to help out with this:

Code
* Removed all the default groups (Admin, etc).
* The login page (and all pages after that) are SSL secured
* Implemented a complex password scheme
* All data access is through stored procs (no open ended SQL)

IIS
* Moved root dir out of default location
* changed the generic IIS user account
* no FP extensions
* no FTP access
* killed the remote admin pieces
Any other steps that should be taken to help lock it down? I feel
pretty good about it, but am fairly new to .NET and would love any
feedback.

Thanks,

Eric

Nov 18 '05 #3
Thanks for the pointers folks.

In regards to the encryption of the QS values, I actually switched the
site over to use server.transfer for all the data entry pages to keep
that data hidden as well.

Anyone else have thoughts on this?

Nov 18 '05 #4
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
Portal Web Site Design from scratch
by: Samuel Berry | last post by:
I hope I am posting this to the correct newsgroup, I apoligize if I am in error. I am looking into creating my own portal. I realize that there are several out there allready pre-built(ie asp.net...
.NET Framework
1
Portal Starter Kit authentication
by: .net user | last post by:
can some one point me what i'm doing wrong? I have spent half a day figuring out and totally stuck now. Here's what I'm trying to accomplish: I am writing a web appl - an intranet portal site...
ASP.NET
3
HOWTO: Convert ASP.NET Starter Kit Portal
by: Dan Sikorsky | last post by:
How can I install the Portal starter kit to a different Solution/Project name, having a different SQL Server database name? I'd like to start a new solution using the Portal starter kit as a...
ASP.NET
0
Extension of the ASP.NET Portal Starter Kit
by: Jill Graham | last post by:
Hi, I'm looking at the ASP.NET Portal Starter Kit. All pages within the application are redirected to the DesktopDefault.aspx file. The DesktopDefault.aspx file defines the layout of the page...
ASP.NET
5
Create a team to develop "Web Portal Framework"
by: Kamil Tezduyar | last post by:
I want to create a team to develop a web portal framework. The main purpose of this framework is reusing this in many projects. The major idea in my mind it, building it as much as flexible. We...
ASP.NET
18
Asp.net Portal start kit
by: Juan Gil | last post by:
I have a problem with this. I installed it in my computer to modify it, but when I try to save the configuration file(xml file) the server returned an error that say that I dont have permissions to...
ASP.NET
1
Can't display Chinese in some module of Portal Starter Kit
by: ad | last post by:
I modify the DesktopPortalBanner.ascx in the Portal Starter Kit http://www.asp.net/Default.aspx?tabindex=8&tabid=47 I modify the text of Portal Home to Chinese. It display well in design time,...
ASP.NET
1
Portal Starter kit
by: | last post by:
Hello, I have a question about the lastest version of the portal starter kit. In the old version, the configuration of the portal was defined in the database ("module" table). In the current...
ASP.NET
2
anyone knows if there is a portal starter kit for asp.net 2.0
by: eric34 | last post by:
Hello, I am looking at building a portal, and would like to make sure I pick th eright technology. I have seen that asp.net 2.0 embed the notion of portal, and figured that may be it would be the...
ASP.NET
0
Wordpress or something else?
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
Content Management Systems
0
isladogs
Access Europe: Command bars, the Access Shortcut Tool and a simple Audit Log - Wed 3 April
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...
General
0
Easy Steps to Fix "Canon Printer Won't Connect to WiFi Network"
by: taylorcarr | last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
General
0
Basic Javascript concepts
by: aa123db | last post by:
Variable and constants Use var or let for variables and const fror constants. Var foo ='bar'; Let foo ='bar';const baz ='bar'; Functions function $name$ ($parameters$) { } ...
Javascript
0
Batch import of multiple excel files into the database
by: ryjfgjl | last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
Data Management
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!