SSL and Data Access Pages

S

scrub55434

New member
Local time
Today, 07:34
Joined
Jul 1, 2005
Messages
7
I'm setting up data access pages that will be accessed over the internet. Because of this I want to make sure that everything is secure. I am using IIS 5.0 (Windows XP) as the web server. I used the three-tier authentication approach discussed in the microsoft article here So I'm pretty sure that the authentication is secure. But what about the communication between the browser and MSDE during databinding? Is that secure?

Wanting to make sure I set up a SSL certificate which secures the page and set the Remote Server in the connection settings in the data access pages to "https://domain.com". Does this secure the comminication between browser and the server?

Thanks in advance
 
IIS 5.5 might be more secure, particularly with Service Pack 2. Or IIS 6.0 if it would work with XP, though I'm not sure on that one. Also, if you don't have the latest O/S patches, you aren't secure. I didn't look through all of the article, but it did have some good suggestions.

There is also the issue of some configuration things to look after. I'll just copy some things from a book published by the Navy and not available on the open market. No copyright violation but too big to post the whole volume...

1. Disable NetBIOS on the Web Server machine

2. Disable File/Print Sharing for Microsoft Networks

3. Remove the Sample Apps that are always distributed with an IIS install.

4. Look at http://www.microsoft.com/technet/security/tools/chklist/iis5cl.asp abd
http://www.microsoft.com/technet/security/tools/chklist/iis5chk.asp

5. Remove unneeded script mappings

6. Watch out for older versions of MDAC. Do not use RDS without configuring it.

7. You probably should disable "parent path" ability.

8. Disable Directory Browsing.

9. Disable WebDAV

10. Setup logging, configure it, and secure it. DO NOT LOG TO THE DEFAULT LOG LOCATION that comes "out-of-the-box" for IIS.

11. Go through your list of trusted certificate authorities to see which ones you REALLY want to trust.

12. Carefully consider how you will allow authentication.

13. Beware of dynamic user group "Everyone" on the disk that holds your web site files. If possible, make this a separate partition or even a separate physical volume from your system disk. Every place that you have a permission for "Everyone" - replace it with a permission for dynamic user group "Authenticated Users."

14. Don't forget that NTFS permissions and IIS permissions interact. Sometimes their interaction can be your friend. Sometimes not.

15. On the system that is your web server, consider blocking network access to any of the command-line utilities.

16. If you have access to the Win2K Resource kit, consider applying IIS Lockdown tool and some of the high-web-security policy templates.

17. Work with your developers to be sure that the pages do input filtering for any text characters not prouctively used by the application.
 
You must log in or register to reply here.

Similar threads

E
Best Practices for User Access Control in Access Databases - Emmanuel Katto Uganda
Replies
3
Views
1,076
Pat Hartman
P
G
Best Practices for Preventing Unauthorized Access to SQL Server in Access Applications
Replies
2
Views
1,561
Pat Hartman
P
B
Advice Request : Simplest method to allow multi-site access to a prototype database
Replies
10
Views
540
Pat Hartman
P
Rythorian
Hey everyone, I'm Ryo from USA Maine
Replies
1
Views
236
Jon
Jon
D
Darshan Hiranandani : How to Access a Password-Protected MDB Database with an MDW File and Unknown User Password?
Replies
3
Views
594
Isaac
Isaac

Users who are viewing this thread

Total: 1 (members: 0, guests: 1)
Back
Top Bottom