Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > Portal Starter Kit - Security Concerns

Reply
Thread Tools

Portal Starter Kit - Security Concerns

 
 
eridgway
Guest
Posts: n/a
 
      09-08-2004
Hello,

Been working on a project using the Portal Starter Kit. Just about
ready to "go-live" when the bossman asks me "how safe is it". A vague
question at best, I know, but here's what I'd like to know to make
sure I'm covered when I say "pretty darn secure"

1) Has there been any instances of people being able to access
sections of the site w/o a role being assigned (or being logged in)?


2) Has anyone known of someone being able to impersonate a valid login
w/o actually logging in?

3) Has anyone succeeded in being able to change content w/o being
logged in?

...ok, so really that's just one big impersonation concen.

Here's what I've done to help out with this:

Code
* Removed all the default groups (Admin, etc).
* The login page (and all pages after that) are SSL secured
* Implemented a complex password scheme
* All data access is through stored procs (no open ended SQL)

IIS
* Moved root dir out of default location
* changed the generic IIS user account
* no FP extensions
* no FTP access
* killed the remote admin pieces


Any other steps that should be taken to help lock it down? I feel
pretty good about it, but am fairly new to .NET and would love any
feedback.

Thanks,

Eric

 
Reply With Quote
 
 
 
 
Scott Allen
Guest
Posts: n/a
 
      09-09-2004
Hi Eric:

One other place you might want to ask is in the asp.net forums:
http://asp.net/forums/Default.aspx?tabindex=0&tabid=1

I think they have more discussion about the starter kits over there.

--
Scott
http://www.OdeToCode.com

On 8 Sep 2004 18:02:50 -0500,
http://www.velocityreviews.com/forums/(E-Mail Removed)-spam.invalid (eridgway) wrote:

>Hello,
>
>Been working on a project using the Portal Starter Kit. Just about
>ready to "go-live" when the bossman asks me "how safe is it". A vague
>question at best, I know, but here's what I'd like to know to make
>sure I'm covered when I say "pretty darn secure"
>
>1) Has there been any instances of people being able to access
>sections of the site w/o a role being assigned (or being logged in)?
>
>
>2) Has anyone known of someone being able to impersonate a valid login
>w/o actually logging in?
>
>3) Has anyone succeeded in being able to change content w/o being
>logged in?
>
>..ok, so really that's just one big impersonation concen.
>
>Here's what I've done to help out with this:
>
>Code
>* Removed all the default groups (Admin, etc).
>* The login page (and all pages after that) are SSL secured
>* Implemented a complex password scheme
>* All data access is through stored procs (no open ended SQL)
>
>IIS
>* Moved root dir out of default location
>* changed the generic IIS user account
>* no FP extensions
>* no FTP access
>* killed the remote admin pieces
>
>
>Any other steps that should be taken to help lock it down? I feel
>pretty good about it, but am fairly new to .NET and would love any
>feedback.
>
>Thanks,
>
>Eric


 
Reply With Quote
 
 
 
 
TJS
Guest
Posts: n/a
 
      09-09-2004
I use the portal starter kit and know of no security holes. the steps you
may wish to add in addition to those already mentioned is to
--remove the database connection string from the web.config file or encrypt
it if stored there.
--encrypt the url string so no one can try to hack their way in through that
door

you can also look here for additional ideas from this guy

http://www.aspkey.net/aspkey/_servic...Assemblies.asp




"eridgway" <(E-Mail Removed)-spam.invalid> wrote in message
news:(E-Mail Removed)...
> Hello,
>
> Been working on a project using the Portal Starter Kit. Just about
> ready to "go-live" when the bossman asks me "how safe is it". A vague
> question at best, I know, but here's what I'd like to know to make
> sure I'm covered when I say "pretty darn secure"
>
> 1) Has there been any instances of people being able to access
> sections of the site w/o a role being assigned (or being logged in)?
>
>
> 2) Has anyone known of someone being able to impersonate a valid login
> w/o actually logging in?
>
> 3) Has anyone succeeded in being able to change content w/o being
> logged in?
>
> ..ok, so really that's just one big impersonation concen.
>
> Here's what I've done to help out with this:
>
> Code
> * Removed all the default groups (Admin, etc).
> * The login page (and all pages after that) are SSL secured
> * Implemented a complex password scheme
> * All data access is through stored procs (no open ended SQL)
>
> IIS
> * Moved root dir out of default location
> * changed the generic IIS user account
> * no FP extensions
> * no FTP access
> * killed the remote admin pieces
>
>
> Any other steps that should be taken to help lock it down? I feel
> pretty good about it, but am fairly new to .NET and would love any
> feedback.
>
> Thanks,
>
> Eric
>



 
Reply With Quote
 
eridgway
Guest
Posts: n/a
 
      09-10-2004
Thanks for the pointers folks.

In regards to the encryption of the QS values, I actually switched the
site over to use server.transfer for all the data entry pages to keep
that data hidden as well.

Anyone else have thoughts on this?

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Can't display Chinese in some module of Portal Starter Kit ad ASP .Net 1 03-12-2005 01:42 AM
Extension of the ASP.NET Portal Starter Kit Jill Graham ASP .Net 0 02-27-2004 04:55 PM
HOWTO: Convert ASP.NET Starter Kit Portal Dan Sikorsky ASP .Net 3 01-13-2004 09:25 PM
Portal Starter Kit authentication .net user ASP .Net 1 12-20-2003 12:09 AM
Portal Starter Kit - Admin Tab Not Showing Dan Sikorsky ASP .Net 1 12-19-2003 07:32 PM



Advertisments