Go through this checklist:
http://www.microsoft.com/technet/security/iischk.asp
It's for IIS 4, but much of it is still insecure with IIS 5
Steve
"McCollough, Alan" wrote:
>
> Well, I tried the ol' +.htr trick on secretagents.com, and it's blocked. So
> much for that! Darn folks, implementing security, whadda y'all afraid of
> anyway???
>
> Alan McCollough
> Web Programmer
> Allaire Certified ColdFusion Developer
> Alaska Native Medical Center
>
> > -----Original Message-----
> > From: Steve Nelson [SMTP:[EMAIL PROTECTED]]
> > Sent: Wednesday, January 31, 2001 8:46 AM
> > To: Fusebox
> > Subject: Re: Security Warning Update
> >
> > I've been setting mine in the ODBC connection. I've seen so many holes
> > in IIS that allows you to read a cfm page, i'll never put my
> > username/password in the code.
> >
> > You could always setup the CF administrator so it only is accessible
> > from 127.0.0.1, that way someone has to be physically at the computer to
> > access the ODBC connections, AND they have to know the password to get
> > into the admin, and even after that, they wouldn't have direct access to
> > the password of the connection.
> >
> > I'm pretty sure that's stored in the registry, which offers another
> > interesting issue. Make sure you turn off the "remote registry", i
> > imagine there could be a security hole there.
> >
> > Steve
> >
> > Marc Funaro wrote:
> > >
> > > DaveD,
> > >
> > > Where should one set the usernames and passwords for databases -- in the
> > > ODBC connection on CF Server? I thought that was a security risk too...
> > >
> > > Always felt a little uninformed on this -- I welcome clarification!
> > >
> > > Thanks for the update and info!
> > >
> > > Marc
> > >
> > > -----Original Message-----
> > > From: daved [mailto:[EMAIL PROTECTED]]
> > > Sent: Tuesday, January 30, 2001 12:57 PM
> > > To: Fusebox
> > > Subject: Security Warning Update
> > >
> > > I know this security warning was posted back in May of 2000 but I think
> > it
> > > needs to be readdressed.
> > > After installing the "+.htr" patch on our NT4.0 server back in May,
> > > everything was good.However; in January 2001 we upgraded to Windows 2000
> > > server and IIS5. At the time I wasn't thinking of going back an
> > reviewing
> > > old patches. You'd assume these would be fixed in new releases or
> > service
> > > packs. I was wrong and the +.htr problem still exists and when migrating
> > > your server to Windows2000, you'll need to reapply the patch. Everyone
> > who
> > > has upgraded should check their site. I've noticed quite a few sites
> > that
> > > still have this hole.
> > >
> > > Other things I've noticed and would like to comment on:
> > > a.. Don't supply usernames and passwords to databases (or anything) in
> > > your code because if your code does get exposed, these will be available
> > to
> > > the world.
> > > b.. Don't rely on cfencrypt to secure your code because there are
> > decrypt
> > > utilities available.
> > > c.. Don't allow for "free" input into your cfqueries, validate user
> > input.
> > > d.. Check for referrer in action type forms. IE: I have a login.cfm
> > page
> > > that posts to an authenticate.cfm page. Make sure that the
> > authenticate.cfm
> > > page only takes input from your server and the login.cfm page. If you
> > don't,
> > > people will be able to write their own login.cfm page on another page
> > and
> > > post to your authenticate.cfm page.
> > > e.. Check that you have an IP address to send debug info to or someone
> > can
> > > type ?mode=debug in the URL to pick up valuable info about your site.
> > > f.. Don't end your files with anything but cfm. I've noticed people
> > ending
> > > their include files with things like .inc or .h. These will not get
> > > processed and a user who goes to it directly will see the code.
> > >
> > > Allaire has released some good stuff on this at:
> > > http://www.allaire.com/developer/securityzone/
> > >
> >
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
