About security best practices Show All About security best practices The following suggestions are designed to help you make educated choices when working to reduce the security risks associated with running a Web site. Best practices for managing files Install the latest security patches and updates to your Web server. Notify your site visitors of this practice as well. When you are configuring your form results to be saved to a file, it is best to keep the default folder that Microsoft FrontPage sets up for you, _private. The _private folder cannot be browsed on Web servers running FrontPage Server Extensions from Microsoft, SharePoint Team Services v1.0 from Microsoft, or Microsoft Windows SharePoint Services. Note Web servers running other technologies might not recognize this folder as non-browsable. Use caution when publishing files by using File Transfer Protocol (FTP) (File Transfer Protocol (FTP): A protocol for copying files to and from remote computer systems on a network or the Internet. FTP sites are frequently used on the Internet for making files and folders publicly available.) or Web-based Distributed Authoring and Versioning (WebDAV) (WebDAV: An application protocol for publishing and managing files on the World Wide Web. It provides support for storing information about a file, so authors can change a file and its properties without overwriting other changes to that file.), since the _private folder will not be recognized as non-browsable on the remote server. When you synchronize files by using Remote Web Site view, files on the remote Web site will be downloaded to the local site. If malicious files were placed on the remote Web site, the local Web site may be at risk. Be sure that only trusted users have access to the remote site before you attempt to synchronize files. Security vulnerabilities in external files or controls may extend to Web pages that use those items. For example, external cascading style sheets (external cascading style sheet: A cascading style sheet in a file with a .css file name extension. A .css file is composed solely of style rules in valid .css syntax, without any surrounding HTML tags.) (files with a .css extension), script files (files with a .js extension), custom ASP.NET controls, or other items may pose a security risk. Be sure your style sheets, add-ins (add-in: A supplemental program that adds custom commands or custom features to Microsoft Office.), themes (theme: A set of unified design elements that provides a look for your document by using color, fonts, and graphics.), executable files (.exe file: A file that contains an executable program that runs on a computer when the file name is double-clicked.), scripts, controls, and other files come from trusted sources. Files that pose a threat to your server, or to the computers of Web site visitors, may be uploaded intentionally (by malicious users) or unknowingly (by trusted users). Make sure your server is running up-to-date antivirus software and limit upload capability to trusted users. For more details, contact your Web server administrator or Web site hosting company. Best practices for Web server security Make sure to use a trusted Web site hosting company. To host e-commerce solutions or SSL connections, a hosting service must possess a digital certificate, which is issued by a third-party certificate authority. If you can't verify the integrity of the server owner or hosting service, do not host your Web site there. Financial transactions require a reliable e-commerce solution hosted on a Web server configured with Secure Sockets Layer (SSL) (Secure Sockets Layer (SSL): A proposed open standard that was developed by Netscape Communications for establishing a secure communications channel to prevent the interception of critical information, such as credit card numbers.) technology. If you want to create an e-commerce solution, contact your Web server administrator or Web site hosting company for more information. Cross-site scripting is a security vulnerability that could affect many Web sites and Web users. The vulnerability is the result of coding mistakes in Web applications. For more information, visit the Microsoft Developer Network (MSDN) Web site. Identify the potential for SQL injection attacks when you process user input that forms part of a SQL command. SQL injection is the act of passing additional (malicious) SQL code into an application which is typically appended to the legitimate SQL code contained within the application. If your authentication scheme is based on validating users against a SQL database, for example, if you're using Forms authentication against Microsoft SQL Server, you must guard against SQL injection attacks. For more information, visit the Microsoft Developer Network (MSDN) Web site. Be sure to use proper security settings on your Web site and to grant access only to trusted users. Be sure that your password is not readable by others. For example, do not store it where it is readable as plain text, such as in a macro or the HTML or other code of a page or file in the site. Do not send a password on the Internet unless you use the SSL protocol, which encrypts data. You can tell when a Web address uses SSL because the address starts with "https" instead of "http." A Web site certificate is a verification, issued by an independent certification authority, that confirms the identity of a Web site. By using a Web site certificate in your site, you can help prevent unauthorized people from seeing the information that is sent to or from your site. Best practices for passwords Avoid using hard-coded passwords for pages in your site. If you must hard-code a password, store it in a folder that is not browsable by site visitors, such as _private. When you need to create passwords, use strong passwords. Strong passwords combine uppercase and lowercase letters, numbers, and symbols, and should not contain patterns, themes, or words found in a dictionary. Change your password frequently; for example, every one to three months. Notify your site visitors of this practice as well. When you connect to a data source, be sure that your password is not readable by others. For example, do not store it where it is readable as plain text, such as in a macro or the HTML or other code of a page or file in the site. Do not send a password on the Internet unless you use the Secure Sockets Layer (SSL) (Secure Sockets Layer (SSL): A proposed open standard that was developed by Netscape Communications for establishing a secure communications channel to prevent the interception of critical information, such as credit card numbers.) protocol, which encrypts data. You can tell when a Web address uses SSL because the address starts with "https" instead of "http." Best practices for using Web packages If your Web site is located on a server running FrontPage Server Extensions from Microsoft, SharePoint Team Services v1.0 from Microsoft, or Microsoft Windows SharePoint Services, take the following precautions: Avoid adding Universal Data Connection (UDC) files to a Web package. A UDC file is an XML file, stored in the _fpdatasources folder, that contains configuration information for a data source. UDC files can contain passwords in plain text. Avoid packaging SharePoint document or picture libraries that contain files. When other users import the Web package, those files will be added to their Web site. Best practices for using cookies Use HTTP-only cookies. To mitigate the risk of a third party accessing the data stored in cookies on your site visitors' computers, the HTTP-only attribute specifies that a cookie is not accessible through script. By using HTTP-only cookies in your site, you can help reduce the possibility that sensitive information contained in the cookie can be sent to a hacker's computer or Web site with script. Note Microsoft Internet Explorer 6 Service Pack 1 (SP1) supports the HTTP-only attribute. By posting links for your site visitors to download critical updates and patches as well as the latest versions of the Web browsers that they use, you can help ensure that your site visitors are using a more secure version of the Web browser of their choice. Thanks, Barry G. Sumpter
