Re: Are Frontpage passwords secure?
From: Roger Abell [MVP] (mvpNoSpam_at_asu.edu)
Date: 11/18/05
- Next message: Roger Abell [MVP]: "Re: EFS"
- Previous message: Roger Abell [MVP]: "Re: Very basic network security question"
- In reply to: COHENMARVIN: "Are Frontpage passwords secure?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 17 Nov 2005 18:09:02 -0700
"COHENMARVIN" <cohenmarvin@hotmail.com> wrote in message
news:1132260617.144387.5140@g44g2000cwa.googlegroups.com...
>I have some asp.net pages on my website. These access a sql server
> database which has credit cards. So I need to protect my asp pages
> from hackers. My question is: can the frontpage userid and password
> that I used to access the website be intercepted? I have an ssl
> certificate on the server, so would it help if in frontpage I always
> opened the site with an "https" prefix instead of "http"?
yes, but depends.
How does your asp get the credentials for presentation to SQL??
Are this coded in your asp or global.asa ? or are these supplied in
a form field of some page of your site?
If they are coded within your ASP app, then they never, or should
never and you would have to go out of your way to allow, travel to
the browsing client. They are only used between the webserver and
the SQL server. If you are using the DB for credit card info, then
you already have a (long) list of requirements that the credit card
company has imposed on your implementation. These include the
encryption of the traffic between the webserver and the database,
and limitations on what you actually store in the database. There
are a few ways to provide the credentials used to access the SQL
server. The (arguably) best is to use Windows integrated authentication
and have the account used by IIS granted the login and database rights
needed at the SQL server. This way you do not need to store the
userid and password for use in the connection string.
>
> Another question I have is similar but does not involve frontpage. If
> I get my ISP to protect my asp folder with a Windows 2000 NTFS password
> so that users who want to view the ASP pages have to type a password to
> view the pages, can that password be intercepted? Suppose the page
> is accessed by https://mysite.com/mypage.htm? Would the SSL protect
> it? Suppose the user forgot to include the 'https' prefix?
>
depends
IIS can be configured to allow only Windows authentication or to
allow clear text authentication. Use of SSL is definitely advised for
any website login. You can, on a directory or per-page basis config
IIS to only serve that page in SSL, and it will give an error when
non-SSL is attempted with the URL path.
> Thanks in advance,
> Marvin
>
- Next message: Roger Abell [MVP]: "Re: EFS"
- Previous message: Roger Abell [MVP]: "Re: Very basic network security question"
- In reply to: COHENMARVIN: "Are Frontpage passwords secure?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
