I recently met with a hacker who reckoned he could see lot's of files and folders on my DASP web server that he should not really be able to see. He mentioned he was using Hacking tools such as SubSeven and Teleport Pro. Are the default security settings enough to stop prying eyes or do I have to do some work in order to secure my sites and prevent access to sensitive data and files?
I'm not sure on what exactly he was able to see. I took at look at Teleport Pro and it seems to be some kind of web crawling tool. SubSeven seems to be some kind of old hacking tool. If you ever need to protect things on your web site you might want to consider password protecting a directory OR using one of our secure directories we have in place. _database bin App_Data To learn how to password protect a directory please read our knowledge base article here: http://support.discountasp.net/KB/a398/password-protecting-directories-in-iis-7.aspx You might also be interested in SiteLock. You can read more information about SiteLock here: http://discountasp.net/press/2013_0...rs-with-sitelock-website-security-leader.aspx If you wish to order SiteLock take a look in your control panel here: https://my.discountasp.net/addons/sitelock.aspx I would personally recommend ordering the SiteLock Premium since it has more features and it does a lot more then SiteLock Basic
Great info - Thanks. I will investigate SiteLock. In the meantime, I did not have an App_Data folder so I just created it. Will it automatically be protected based on it's name or is there something that needs to be done to make it secure?
I have similar questions. I just took your advice and signed up for SiteLock. Still, it concerned me that the default settings were that all directories were browseable (I turned that off). Also, I installed BlogEngine.NET manually (to get the latest version) and expected to have to configure write access to one directory. Not so; apparently everything's writable by default. For IIS 8, is there a beginner's guide to setting appropriate default security site-wide? As an aside, if there are similar resources for supported POP3 email and FTP security (TLS, etc.) that would be helpful. I dislike the thought of passwords in the clear. Thanks much!
Security Best Practices for IIS8 A lot of this is already taken care for you. I'm not sure why Directory Browsing is enabled, but I think it's just the default setting. You can easily disable it in your web.config file. The folders mentioned above are protected by Request Filtering. You can add App_Code to the list as well. As for configuring write access, you have some limited control over that using the tools in the Control Panel. The Anonymous ASP.NET user has full read/write access because many applications would break if it wasn't set this way. I'm afraid I don't know of a good beginner's guide. A lot of security issues can be avoided through proper coding. As for email, we don't support SSL because it only secures the initial connection from the client to the SMTP server. If you really want to pursue security for email, take a look at PGP. As for FTP, we support FTP over SSL.
