Re: Security controls in a web application

You do not state what accounts are being used.
In general, one may be better off passing account management tasks
to the operating system or database server (SQL 2k5 at least; Oracle ??)
rather than attempting to reinvent the whole as a one man show.

"Big Charles" <cherediatech@xxxxxxxxx> wrote in message
news:1185154492.526010.247340@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hello,

I have developed a web application in .NET that interacts with Oracle
database. Now this app is been audited according to security issues of
ISO 17799.
I'm afraid that my web app is lacking of many security controls.

I have implemented some security controls like a login page that asks
for userid and password in order to access the web app. Also, every
web page calls a stored procedure when is loaded. That SP consults if
the userid is allowed to access that web page.

However, there are many other security controls that I didn't know.
For example, a guy asked me if the login page controls how many times
can somebody try to login. If somebody tries to login more than three
times with no success, then the user account has to be blocked for
some time. That is in order to avoid hacking, because somebody can use
some program to generate random passwords and trying to login over and
over until it succeeds.

My question is: Is there any practical guide to follow about what
security controls must be implemented in a web application that
interacts with database? I think it should exists, like:

- Passwords have to have 6 alphanumeric characters at least.
- If the user logins for the first time, the application has to force
him to change his password.
- If the user tries to login more than three times unsuccessfully,
then the account has to be blocked
- etc, etc

Thank you very much!



.

Relevant Pages

  • Re: Please! Doesnt anyone know a better way to do this?
    ... account, they need to automatically be directed to the page to enter data ... session variable on the Account page. ... I assume here that you're checking a database when the user attempts to ... When a new user attempts to login or clicks to register, ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: sp_addrolemember with Windows SQL Server Login
    ... error as long as a valid domain account was specified. ... SQL Server apparently allows you to add a Windows account to a database ... he noticed that User1 was a NT Login ...
    (microsoft.public.sqlserver.security)
  • Re: SQL Connection String using Domain Account
    ... The DBA has given me a Domain user account with rights to the ... | to get a connection to the database. ... or Login failed for userID. ... You can map a domain account to a SQL login, see CREATE LOGIN in SQL books ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: RESTORING CRASHED SITE WEBS
    ... Well, when installing Sharepoint, the installer did display a message ... I can't login using any existing accounts. ... >> access using Windows Security the account returned in the failed ... I put in the database server name and ...
    (microsoft.public.sharepoint.windowsservices)
  • Weakness introduced by denying remote logins on AIX, possibly others
    ... AIX 4.3.3 and AIX 5.1, ... is possible to remotely enumerate the passwords of a known AIX account. ... believed to be in the response from the login program after authentication ... Give accounts that have been restricted from remote logins strong passwords. ...
    (Security-Basics)