I hoping that someone here can offer me some insight into a problem that an associate informed me of. We are developing a site that uses ASP, IIS 5.0 and MS Access, just for development with the intention of upgrading to SQL Server for implementation. We intend to have the site hosted by a third party and are concerned over security. How secure is IIS vs other products? How secure is the SQL Server authentication and NT authentication? Are there significant advantages in PHP, MySQL and Apache as the development tools?
Keep in mind my associate is anti-MS...
Thanks
Mike

Michael Rudge

well, there are several things to consider here...
first of all, are there any security holes?
Some common holes I've seen are <ul><li>passing IDs and stuff through the querystring... thus allowing users to change the id, and see other peoples stuff </li><li>storing sensitive information in cookies... it's very easy for a user to see and change the contents of cookies.
Just try it, put <b>javascript:alert(document.cookie);</b> in the browser URL line, you'll more likely than not see the username and password used for udzone.
This method can be used to fire off any javascript in fact.</li><li>Not properly protecting secure pages, thus allowing someone to guess the URL of the "protected" page... in my opinion, they should all be protected by checking for a session variable thats set on login, then that way the user can't fake it.</li></ul>Keep in mind that the examples I've given here are for solutions you code yourself... IIS NT authentication is more secure than that. unless someone sets up a pretty complex system to watch the bits flying through the ether, then translating them to something humans can read, I don't know of a way to break that security.
<i>disclaimer: I know that IIS has gotten a bad rap about security and yes Apache hasn't had nearly this many issues. But chances are the people exposing these security holes are M$ hating/ apache using script kiddies. So apache doesn't have the army of people trying hose it</i>

Another thing to keep in mind, is that no matter what server/language you use, the browser still sees only HTML, Everything is handled via HTTP requests and posts. So if you can break through the security using the HTTP protocol, youd probably be able to do the same no matter what the server.

as far as the sql server authentication, I don't suggest giving everyone a sql server login, this would be a nightmare to keep track of, plus someone would probably be able to put those credentials into the enterprise manager, thus compromising your server. The SQL server login should be only for the scripts on the site to use.

People have to stop having this blind hate for anything other than what they use. Everything out there has its use, and a smart web developer will learn as much as possible to keep his options open... especially considering the current state of the job market.

Joel Martinez [ ]
----------
E-Commerce Concepts with Ultradev...pre-order yours at
www.basic-ultradev.com/ecomm_concepts/

joel~
it seems safe to assume that you have a good, working history on security both server and client-side. are there any particular resources that you might refer someone to? any online material that you would reccomend?

There are no "webmasters"...only "webstudents". Now, snatch the floppy from my hand, grasshopper.

<BLOCKQUOTE id=quote><font size=1 face="Verdana, Arial, Helvetica" id=quote>quote:<hr height=1 noshade id=quote>
joel~
it seems safe to assume that you have a good, working history on security both server and client-side. are there any particular resources that you might refer someone to? any online material that you would reccomend?

There are no "webmasters"...only "webstudents". Now, snatch the floppy from my hand, grasshopper.
<hr height=1 noshade id=quote></BLOCKQUOTE id=quote></font id=quote><font face="Verdana, Arial, Helvetica" size=2 id=quote>AArgh, unfortunately, I can't really think of anything specific at the moment... all I can say is that everything that I've learned has more than likely been from one of several sources.

-www.webmonkey.com 'this was where I learned ASP... not too much for the advanced user though.

-www.4guysfromrolla.com 'good articles published at a quick pace.

-www.sqlteam.com 'anything sql goes here

I think I actually came up with a saying or quote (whatever you want to call it) the other day when talking with a friend.<BLOCKQUOTE id=quote><font size=1 face="Verdana, Arial, Helvetica" id=quote>quote:<hr height=1 noshade id=quote>A smart programmer is not someone that knows everything, its someone that know where to find everything.<hr height=1 noshade id=quote></BLOCKQUOTE id=quote></font id=quote><font face="Verdana, Arial, Helvetica" size=2 id=quote>I though it sounded pretty insightful <img src=../images/dmxzone/forum/icon_smile_wink.gif border=0 align=middle> so thats the advice I can give, just know your resources.

good luck

Joel Martinez [ ]
----------
E-Commerce Concepts with Ultradev...pre-order yours at
www.basic-ultradev.com/ecomm_concepts/

Joel, you may hate to hear this but an article on this for UDZone maybe warranted. The web's potential is indisputable, but MM UD4 does little to help the average guy with legitimate security concerns. Everything that you said I knew and that was my argument in contention of my 'associate'. The only thing is Apache's breach/hack rates are far lower, most likely due to it's lesser use. Anyway if you and the fine staff at UD Zone could put together an info packet on security it would be a God send. As a side note you have assisted me numerous times and I want you to know that I appreciated each one. Thanks
Mike

Michael Rudge

i must agree. if there was anyone out there that would like to contribute data to a "security triage"...??

**cough cough joel cough**

i am sure it would be well received at UDZ. good, needed, relevant content in my opinion.

There are no "webmasters"...only "webstudents". Now, snatch the floppy from my hand, grasshopper.